3b6100ccd9
Create Possible Manipulation Of Tokens on a Windows computers remotely Detected via impersonate ( #3803 )
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-21 13:27:22 +01:00
f9d1eb1f2d
Update proc_creation_win_renamed_office_processes.yml
2022-12-21 09:18:06 +01:00
9372987801
fix: missing upper tick
...
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2022-12-21 08:57:37 +01:00
7e7cbe41c3
docs: change modified date
2022-12-21 08:57:05 +01:00
beccf416da
feat: add two new rules
2022-12-20 23:44:44 +01:00
6679347fe3
fix: rename files to follow convention
2022-12-20 22:25:49 +01:00
68f1ce8b9e
Merge branch 'SigmaHQ:master' into nasbench-rule-devel
2022-12-20 22:24:56 +01:00
3f48eb4963
fix: selection name and add old path
2022-12-20 10:42:21 +01:00
de5345cfd2
fix: add permalink instead of master
2022-12-20 10:25:52 +01:00
22761ec2c3
fix: add missing id
2022-12-20 10:25:03 +01:00
ba52dc2aa8
T1539 Steal Web Session Cookie rules
...
Update existing rule and add one new rule related to Steal Web Session Cookie technique (T1539)
2022-12-19 23:20:13 -05:00
ba3e985bed
feat: multiple update and enhancements
2022-12-19 17:41:40 +01:00
025c1a4aae
fix: enhance logic and severity
2022-12-19 11:21:24 +01:00
9318c05751
fix: modify the detection and condtion
2022-12-19 15:00:00 +05:00
646351808e
Refractor ( #3794 )
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-18 21:00:14 +01:00
41d841ada2
Merge pull request #3793 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2022-12-18 18:48:06 +01:00
3f6bcb6cee
fix: fp found in testing
2022-12-18 15:07:47 +01:00
dbe3c80dd3
fix: fp found with baseline
2022-12-16 18:50:38 +01:00
b108c1189d
Merge pull request #3717 from redsand/fp_convert_guidcompress
...
FP: ignore calling function Convert-GuidToCompressedGuid, …
2022-12-16 18:44:44 +01:00
7ef1945ce5
Merge pull request #3791 from veramine/patch-6
...
Update proc_creation_win_rundll32_parent_explorer.yml
2022-12-16 18:43:54 +01:00
1e2cd1655e
fix: add more filters and update image field
2022-12-16 17:59:24 +01:00
c67960d162
fix: update logic
2022-12-16 17:46:35 +01:00
2b9048b6c8
fix: update detection logic
2022-12-16 17:09:34 +01:00
f0ff97be9b
fix: update description
2022-12-16 17:07:52 +01:00
3868dd91c6
feat: updates and enhancements
2022-12-16 16:52:12 +01:00
bfa5e4ecf5
Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-16 08:28:45 +01:00
b8503a0d40
Merge pull request #3790 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-12-16 00:34:21 +01:00
3b6403fc8a
Update proc_creation_win_rundll32_parent_explorer.yml
...
Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system. The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch". The BumbleBee case loaded a DLL from the ISO so that should still be detected.
2022-12-15 14:54:46 -08:00
0b3a068327
fix: FP with NVIDIA driver installation
2022-12-15 18:00:07 +01:00
e2c8d8d6b5
Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing
2022-12-15 13:57:59 +01:00
0f9b2fff71
refactor: NotPetya rule
2022-12-15 13:57:56 +01:00
18132ed085
Merge pull request #3787 from nasbench/nasbench-rule-devel
...
feat: add type lolbin rule and update ldap etw rule
2022-12-15 06:30:43 +01:00
a2e818ddca
Merge pull request #3785 from veramine/patch-4
...
Add System to list of built-in Windows processes with no extension
2022-12-14 16:06:48 +01:00
d6d41c12d1
feat: new rule related to using type as lolbin
2022-12-14 15:37:46 +01:00
b41ba894e5
fix: rename rule to follow convention
2022-12-14 15:37:28 +01:00
be8338774c
Merge pull request #3784 from veramine/patch-3
...
Add System to list of built-in Windows processes
2022-12-14 13:21:12 +01:00
9af4c20912
Merge pull request #3783 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2022-12-14 13:19:46 +01:00
a6a41eae8f
Removed System from CommandLine
2022-12-14 02:25:21 -08:00
6540ca0ed9
Update modified date
2022-12-14 02:13:53 -08:00
d8e29c80fa
fix: remove filter
2022-12-14 11:09:46 +01:00
a848537bac
fix: update commandline selection
2022-12-14 11:09:35 +01:00
8a529a14c0
Add System to list of built-in Windows processes with no extension
2022-12-14 02:08:30 -08:00
41fcd73fad
Add System to list of built-in Windows processes
2022-12-14 02:06:40 -08:00
287916fa8b
fix: update logic
2022-12-13 23:49:58 +01:00
fea413849b
Update proc_creation_win_susp_runonce_execution.yml
2022-12-13 11:12:55 -05:00
af3857b42f
Update proc_creation_win_susp_runonce_execution.yml
2022-12-13 10:27:21 -05:00
ad55efd25f
Update proc_creation_win_susp_runonce_execution.yml
...
Added coverage for a new procedure identified here: https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
2022-12-13 09:50:43 -05:00
5232094c71
fix: more fp found in testing and enhance fp metadata
2022-12-13 11:25:23 +01:00
24d983a6a9
Merge pull request #3775 from danielgottt/patch-9
...
Create proc_creation_win_lolbin_setres.yml
2022-12-13 06:45:39 +01:00
aca5dccd7f
fix: change title
2022-12-13 00:01:46 +01:00
sai prashanth pulisetti