e73816bb22
fix: too many false positives with in-memory detection rule
2021-11-20 15:07:20 +01:00
15a4938294
fix: wrong condition
2021-11-20 15:05:06 +01:00
c7462832fe
fix: FPs with Wincred in log files
2021-11-20 15:03:11 +01:00
dfbaadf932
fix: FPs - extended filter
2021-11-20 13:01:24 +01:00
8271b04f80
fix: FPs with ISO mount rule
2021-11-20 12:46:50 +01:00
f1d2903ec2
fix: FPs with rules
2021-11-20 12:32:15 +01:00
6c040f0844
fix: more false positives
2021-11-20 12:00:18 +01:00
5b8b622658
fix: too many false positives with WMI Modules Loaded
2021-11-20 11:54:19 +01:00
1fffb57df0
fix: FPs with different rules
2021-11-20 11:33:43 +01:00
1cfca93354
Missing status in rules ( #2284 )
...
* add missing status
2021-11-19 22:32:26 +01:00
0c61c444eb
Merge pull request #2278 from zakibro/master
...
Adding New Linux Auditd rule - Data Exfil with Wget
2021-11-19 22:30:10 +01:00
13099ea9bf
Merge pull request #2279 from frack113/malware
...
Add sysmon_win_reg_persistence_recycle_bin.yml
2021-11-19 19:11:06 +01:00
264db60c5e
Merge pull request #2276 from phantinuss/master
...
Rule Fix: Paths with Quotes
2021-11-19 19:05:36 +01:00
19a303bcfb
Merge pull request #2282 from Karneades/exefile
...
Update shell open key rule
2021-11-19 17:40:35 +01:00
3b9c92e84f
Merge pull request #2274 from SigmaHQ/rule-devel
...
rule: SiteCore PreAuth RCE, Winrar; fix: FPs
2021-11-19 17:28:29 +01:00
a1dc685ea4
Add note regarding persistence in shell open rule
2021-11-19 16:18:25 +01:00
74eac016c8
Update date after shell open rule change
2021-11-19 16:17:21 +01:00
4acbb15713
Merge branch 'master' into rule-devel
2021-11-19 15:52:21 +01:00
79cf80fa6b
Update shell open key rule
...
* Make rule more generic regarding exefile detection instead of only naming it "uac bypass"
* Add further references and attack tags
2021-11-19 14:03:56 +01:00
3834048363
docs: extended false positive comment
2021-11-19 12:15:11 +01:00
86f7c2b9f9
fix: FPs with WMI module rule
2021-11-19 12:15:01 +01:00
5e96a5c151
Merge pull request #2275 from WojciechLesicki/master
...
Adding two more process, additional references, information about Cob…
2021-11-19 06:46:10 +01:00
8176d9b47e
Add sysmon_win_reg_persistence_recycle_bin.yml
2021-11-18 18:39:20 +01:00
87f64e28fd
Adding New Linux Auditd rule - Data Exfil with Wget
2021-11-18 18:03:17 +01:00
b91b43ad84
rule: Exchange CVE-2021-42321
2021-11-18 17:27:09 +01:00
ecc7181d6e
fix: FP with Windows Update Client LOLBIN rule
2021-11-18 13:34:55 +01:00
84476e1dd4
fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes
2021-11-18 10:06:03 +01:00
7a2ce744f1
Merge pull request #2272 from frack113/wmi_FP
...
sysmon_wmi_module_load.yml add WMIC.exe
2021-11-18 06:36:39 +01:00
4b13ece931
Merge pull request #2270 from phantinuss/master
...
enhance emotet rundll32 execution pattern for current campaign
2021-11-18 06:35:11 +01:00
a6771d684b
Merge pull request #2269 from frack113/ntfs
...
Add correct provider_name
2021-11-18 06:32:01 +01:00
bc334ab456
Hawk backend support for wildcard in middle of string ( #2273 )
...
* updating yaml cfg for ms eventlog support
* update config and sigma backend, so that comments are not replaced, but rather the details of the record
* updating scriptblocktext to value
* adding a few missing ip address translations
* Fixing error when handling comparisons of null values, and additional fix of lack of support for not
* adding additional translations for missing category entries
* fixing error when handling list of ors with a not indicator
* finishes support for windows translations, pending qa
* adding dedupe feature and additional translation fix for dns-server
* adding image_loaded translation
* forced to pull back on the aggressive deduping, caused some inaccuracies
* adding more ux friendly formatting for regex
* adds support for wildcards in middle of strings
* adding a missing null check for supporting null matching
* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
2021-11-18 06:29:41 +01:00
9475d91afe
Merge pull request #2271 from vastlimits/feature/uberagent-compat-6.2
...
Updated uberAgent backend to support version 6.2.
2021-11-18 06:28:00 +01:00
ba053ea19b
Adding two more process, additional references, information about Cobalt Strike etc.
2021-11-17 22:37:23 +01:00
7dce83033b
rule: Winrar suspicious folder
2021-11-17 19:01:48 +01:00
c6564908ef
rule: Sitecore Pre-Auth RCE CVE-2021-42237
2021-11-17 19:01:35 +01:00
23220e7d78
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2021-11-17 19:00:06 +01:00
a921bd5ec8
style: reordered rule layout
2021-11-17 18:59:40 +01:00
c71d9dba89
fix: false positive with WMI rule
2021-11-17 18:59:22 +01:00
0605a1c64e
add WMIC.exe
2021-11-17 16:37:27 +01:00
c09b1861ec
Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2
2021-11-17 16:30:05 +01:00
0109694e26
enhance emotet rundll32 execution pattern for current campaign
2021-11-17 15:59:05 +01:00
dcfc9d562e
fix: more false positives
2021-11-17 10:27:02 +01:00
6a9313535c
Add correct provider_name
2021-11-17 06:59:57 +01:00
a96a8fbf43
Merge pull request #2268 from SigmaHQ/rule-devel
...
Fixing FPs with memory access rules, new rule for suspicious new Tasks
2021-11-17 00:10:22 +01:00
7d4e3fd2ed
fix: more false positive fixes
2021-11-16 23:27:00 +01:00
97bc8aa6f2
rule: suspicious write to system tasks
2021-11-16 17:30:47 +01:00
8d6d8c2c92
fix: several FPs
2021-11-16 17:30:23 +01:00
15c1616b6a
Merge pull request #2267 from SigmaHQ/rule-devel
...
fix: FPs in different rules
2021-11-16 16:15:41 +01:00
d29c353718
refactor: unnecessary filter
2021-11-16 13:47:41 +01:00
daff947d4b
refactor: fixes without CommandLine field in ImageLoad events
2021-11-16 13:46:15 +01:00
Florian Roth