 Nasreddine Bencherchali
|
e43371ffcf
|
fix: small typos
|
2023-01-04 17:51:34 +01:00 |
|
|
Nasreddine Bencherchali
|
711ba956e3
|
feat: updates and enhancements
|
2023-01-04 17:49:32 +01:00 |
|
|
Nasreddine Bencherchali
|
843506c9f0
|
fix: update modified field
|
2023-01-03 17:46:39 +01:00 |
|
|
Tim (Bobby-Tablez) Peck
|
0391f127c4
|
Update posh_pm_susp_invocation_generic.yml
|
2023-01-03 09:38:26 -07:00 |
|
|
fukusuket
|
9298295c15
|
fix: remove invalid backslash escape
|
2022-12-31 21:35:07 +09:00 |
|
|
Nasreddine Bencherchali
|
a25027fef8
|
fix: rename links from old repo to SigmaHQ
|
2022-12-27 21:05:16 +01:00 |
|
|
frack113
|
7060db3d47
|
Promotion rules (#3821)
* Promotion rules
* fix missing null
* fix: modified date
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-27 12:29:10 +01:00 |
|
|
Nasreddine Bencherchali
|
5232094c71
|
fix: more fp found in testing and enhance fp metadata
|
2022-12-13 11:25:23 +01:00 |
|
|
frack113
|
064132a5a8
|
Merge pull request #3744 from fukusuket/refactor-remove-unnecessary-escape
refactor: remove unneeded escapes(in `|re` block)
|
2022-12-03 09:36:09 +01:00 |
|
|
frack113
|
0f3eefdc9c
|
Update title (#3746)
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-02 18:10:43 +01:00 |
|
|
fukusuket
|
ead6831b25
|
update modified date.
|
2022-12-02 21:57:37 +09:00 |
|
|
fukusuket
|
a05742b420
|
refactor: remove unnesessary escape.
|
2022-12-02 21:26:45 +09:00 |
|
|
fukusuket
|
7b1d23621c
|
refactor: remove unnesessary escape.
|
2022-12-02 20:17:39 +09:00 |
|
|
frack113
|
a674ee246b
|
Update Title (#3739)
|
2022-11-30 11:44:15 +01:00 |
|
|
Fukusuke Takahashi
|
76fece654a
|
fix: explicitly escape { to make it clear that it is a literal (#3737)
|
2022-11-30 11:43:49 +01:00 |
|
|
frack113
|
c820216541
|
Update Title (#3733)
|
2022-11-28 06:43:17 +01:00 |
|
|
Nasreddine Bencherchali
|
5ee9428e59
|
Fix
|
2022-11-03 09:39:48 +01:00 |
|
|
frack113
|
1e5ae09c4b
|
Order yaml field
|
2022-10-26 09:43:39 +02:00 |
|
|
Nasreddine Bencherchali
|
bf9bfa9a97
|
Add more FP filters
|
2022-10-13 12:36:25 +02:00 |
|
|
Nasreddine Bencherchali
|
bf28e42f01
|
Fix FP Found In Testing
|
2022-10-10 17:33:14 +02:00 |
|
|
Nasreddine Bencherchali
|
2c26614ce4
|
Update Wildcard + Int to Str fields
|
2022-10-05 23:15:20 +02:00 |
|
|
phantinuss
|
b7f20b884c
|
fix: FPs from new evtx-baseline
|
2022-09-21 13:51:19 +02:00 |
|
|
Florian Roth
|
968f0ae11f
|
Merge pull request #3508 from SigmaHQ/aurora-false-positive-fixing
fix: FPs noticed with Aurora
|
2022-09-18 13:24:07 +02:00 |
|
|
Florian Roth
|
34d7ad03f7
|
fix: FPs noticed with Aurora
|
2022-09-18 12:54:37 +02:00 |
|
|
Borna Talebi
|
4ede1b413f
|
Update reference
|
2022-09-16 21:46:45 +04:30 |
|
|
Nasreddine Bencherchali
|
238e0ecd7d
|
Update Ref+Selection
|
2022-07-11 14:11:53 +01:00 |
|
|
Nasreddine Bencherchali
|
b26c28972d
|
Add missing definition fields and references
|
2022-07-07 19:13:01 +01:00 |
|
|
Nasreddine Bencherchali
|
ce8ce2a91d
|
Removed related field
The rule referenced in the field doesn't exist
|
2022-06-21 11:43:18 +01:00 |
|
|
Florian Roth
|
72de90d2aa
|
fix: FPs
|
2022-06-20 12:52:23 +02:00 |
|
|
David ANDRE
|
74b9f97b9c
|
Renamed suspicious in filenames to susp
|
2022-05-19 09:37:04 +02:00 |
|
|
phantinuss
|
6f92a11c02
|
chore: test rules: check for all modifier with single item
|
2022-05-11 11:06:09 +02:00 |
|
|
phantinuss
|
112b715dd6
|
chore: test rules: reactivate single value list check
|
2022-05-10 17:13:04 +02:00 |
|
|
phantinuss
|
dbd68bf3f0
|
chore: test rules: capitalization on FP list entries
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
|
2022-05-09 16:07:44 +02:00 |
|
|
phantinuss
|
13e31e8383
|
fix: FPs found in win2022 domain controller baseline
|
2022-04-21 10:48:59 +02:00 |
|
|
frack113
|
becf3baeb4
|
Merge pull request #2813 from phantinuss/master
Changes to falsepositives metadata
|
2022-03-17 14:31:27 +01:00 |
|
|
Florian Roth
|
1099c5630e
|
rule: remote thread creation, get-addbaccount
|
2022-03-16 15:21:01 +01:00 |
|
|
phantinuss
|
043747822f
|
fix: more falsepositives harmonization
|
2022-03-16 14:57:06 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Tim Shelton
|
bda0f3cfe0
|
FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future
|
2022-03-14 22:23:06 +00:00 |
|
|
frack113
|
5938569d3e
|
Refactor regex
|
2022-03-08 19:07:37 +01:00 |
|
|
frack113
|
143f5fe4e2
|
Fix yml
|
2022-03-07 19:37:33 +01:00 |
|
|
frack113
|
f9c0e21323
|
Refactor regex
|
2022-03-07 19:08:30 +01:00 |
|
|
frack113
|
464686e0c5
|
add posh_pm_suspicious_reset_computermachinepassword
|
2022-02-22 13:44:51 +01:00 |
|
|
Florian Roth
|
35d4c8bc69
|
fix: FPs noticed in THOR testing
|
2022-02-21 10:15:27 +01:00 |
|
|
Florian Roth
|
51bbe21c70
|
fix: more Aurora FP fixes
|
2022-02-16 17:16:50 +01:00 |
|
|
phantinuss
|
646ce36809
|
fix: use doublequotes instead of ' because of ' in string
|
2022-02-11 16:52:45 +01:00 |
|
|
phantinuss
|
809f7abbb8
|
fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3
|
2022-02-11 16:38:52 +01:00 |
|
|
frack113
|
4631d0c482
|
remove invalid tag
|
2022-01-19 18:23:30 +01:00 |
|
|
frack113
|
6badb13114
|
Rename powershell_module
|
2022-01-15 10:38:27 +01:00 |
|