 Florian Roth
|
c93fd80482
|
Merge branch 'master' into rule-devel
|
2022-03-07 15:38:58 +01:00 |
|
|
Florian Roth
|
0d083039ab
|
refactor: new PPLDump imphashes
|
2022-03-07 15:38:53 +01:00 |
|
|
Florian Roth
|
b71417e807
|
refactor: more exact imphash matching
|
2022-03-07 12:03:32 +01:00 |
|
|
frack113
|
5d4035ea05
|
Fix contains
|
2022-03-06 20:50:19 +01:00 |
|
|
frack113
|
4db5798dd0
|
fix error
|
2022-03-06 20:43:34 +01:00 |
|
|
frack113
|
67189b6e51
|
refactor regex
|
2022-03-06 20:40:21 +01:00 |
|
|
frack113
|
793bf99c85
|
refactor regex
|
2022-03-06 20:15:32 +01:00 |
|
|
Florian Roth
|
97744dc9eb
|
Merge pull request #2777 from frack113/regex_clean
refactor: regex
|
2022-03-06 17:54:51 +01:00 |
|
|
Florian Roth
|
1b0c7cc3b9
|
Merge pull request #2776 from frack113/lolbas
Add lolbas rules
|
2022-03-06 17:54:18 +01:00 |
|
|
frack113
|
18bb388574
|
refactor: regex
|
2022-03-06 13:38:47 +01:00 |
|
|
frack113
|
d7b73be2c7
|
Add Missing CurrentDirectory filter
|
2022-03-06 13:22:30 +01:00 |
|
|
frack113
|
cb7a776623
|
Add lolbas rules
|
2022-03-06 12:10:51 +01:00 |
|
|
Florian Roth
|
a30ee0b37d
|
Merge branch 'master' into rule-devel
|
2022-03-05 12:39:13 +01:00 |
|
|
Florian Roth
|
a2031b7898
|
fix: condition with 1 of them
|
2022-03-05 12:39:04 +01:00 |
|
|
Florian Roth
|
2e2f4fbae5
|
Merge pull request #2773 from frack113/win11_office
Office Installation FP
|
2022-03-05 12:33:36 +01:00 |
|
|
Florian Roth
|
f07e1bb6f1
|
refactor: cobaltstrike beacon imphashes
|
2022-03-05 12:33:06 +01:00 |
|
|
frack113
|
b4de144862
|
Office Installation FP
|
2022-03-05 11:09:27 +01:00 |
|
|
Florian Roth
|
f3518f2521
|
rule: ntdll type redirect
|
2022-03-05 10:39:33 +01:00 |
|
|
Florian Roth
|
ec62ec6bbb
|
fix: values missed escaping
|
2022-03-05 10:39:15 +01:00 |
|
|
Florian Roth
|
9595cef06e
|
Merge pull request #2771 from SigmaHQ/rule-devel
Multiple adjustments in different rules
|
2022-03-05 09:57:12 +01:00 |
|
|
frack113
|
36e471dae6
|
Merge pull request #2767 from d4rk-d4nph3/master
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 20:59:35 +01:00 |
|
|
frack113
|
41f3db6e02
|
Merge pull request #2770 from frack113/fix_win11_fp
Fix FP new win11 installation
|
2022-03-04 20:57:06 +01:00 |
|
|
Florian Roth
|
8b29c2202c
|
rule: hacktool imphashes
|
2022-03-04 19:44:15 +01:00 |
|
|
Florian Roth
|
b90686251f
|
refactor: imphash adjustments
|
2022-03-04 19:43:58 +01:00 |
|
|
Florian Roth
|
85e2419436
|
fix: duplicate UUID
|
2022-03-04 17:12:31 +01:00 |
|
|
frack113
|
7922becd0b
|
Fix FP new install
|
2022-03-04 16:53:30 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
05a9a910f4
|
rule: PowerShell Defender base64 MpPreference
|
2022-03-04 16:34:37 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
phantinuss
|
6c4d0c601b
|
fix: FP with Windows Defender ATP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
4823d7943f
|
fix: exclude hotpotatoes FP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
df48b60cb4
|
fix: FP with Datev SQL Server
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
324dca618b
|
fix: filter variant with double quotes
|
2022-03-04 14:07:28 +01:00 |
|
|
Bhabesh
|
d14784510f
|
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 15:40:33 +05:45 |
|
|
frack113
|
743f0974f9
|
Merge pull request #2766 from frack113/office2019
OfficeClickToRun FP
|
2022-03-04 06:30:31 +01:00 |
|
|
frack113
|
ee5e85a422
|
Merge pull request #2765 from frack113/win11_FP
Fix Windows11-Office FP
|
2022-03-04 06:30:17 +01:00 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
frack113
|
ea2b6d8a08
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 20:10:55 +01:00 |
|
|
frack113
|
59067a72d2
|
OfficeClickToRun FP
|
2022-03-03 19:45:03 +01:00 |
|
|
frack113
|
cc956f7dbf
|
Fix Windows11-Office FP
|
2022-03-03 15:20:53 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
nNipsx
|
b43e37518e
|
update Author contribute
|
2022-03-03 14:34:13 +07:00 |
|
|
frack113
|
19ba2fe16c
|
Update posh_ps_detect_vm_env.yml
|
2022-03-03 08:12:01 +01:00 |
|
|
frack113
|
0649b5d6ea
|
Add proc_creation_win_fsutil_symlinkevaluation
|
2022-03-03 06:27:36 +01:00 |
|
|
frack113
|
53651cdd2f
|
Add Bits-Client rules
|
2022-03-03 06:27:00 +01:00 |
|
|
nNipsx
|
f57bb708bb
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 11:04:26 +07:00 |
|
|
Florian Roth
|
071bcc2923
|
Merge pull request #2761 from SigmaHQ/rule-devel
Minor changes, new PS downloader strings
|
2022-03-02 17:47:11 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
phantinuss
|
952fb07d59
|
fix: remove Aurora filter out, no longer needed
|
2022-03-02 11:14:01 +01:00 |
|
|
Florian Roth
|
5e76089044
|
refactor: additional strings in powershell downloader rule
|
2022-03-02 11:01:28 +01:00 |
|