 phantinuss
|
6ae28b7a1c
|
fix: legitimate --> Legitimate
|
2022-03-16 14:35:19 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
8d3f8acb60
|
fix: none --> Unknown
|
2022-03-16 14:19:21 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Florian Roth
|
306bb438e3
|
CrackMapExec patterns
|
2022-03-15 18:05:04 +01:00 |
|
|
frack113
|
c5c72124b1
|
WindowsUpdate FP
|
2022-03-13 19:22:08 +01:00 |
|
|
Florian Roth
|
52f2b7f966
|
Merge pull request #2795 from SigmaHQ/rule-devel
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
|
2022-03-11 20:56:06 +01:00 |
|
|
Florian Roth
|
c843293e47
|
rules: NTDS.DIT exfiltration
|
2022-03-11 18:14:09 +01:00 |
|
|
Florian Roth
|
1c9fefc478
|
refactor: add iocs to lsass dump files names
|
2022-03-10 21:03:16 +01:00 |
|
|
frack113
|
3cb0640192
|
Add file_event_win_susp_dropper
|
2022-03-09 20:56:35 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
frack113
|
ec7319be21
|
Name Normalization
Name Normalization
|
2022-02-27 07:39:46 +01:00 |
|
|
Florian Roth
|
d6d206d6d6
|
rules: BlackByte rule update, and some generic rules
|
2022-02-25 16:02:42 +01:00 |
|
|
Florian Roth
|
41d5b87839
|
Merge pull request #2722 from SigmaHQ/rule-devel
New rules and FP fixes
|
2022-02-22 17:33:05 +01:00 |
|
|
Florian Roth
|
24ece0c60a
|
Merge branch 'master' into rule-devel
|
2022-02-22 16:33:51 +01:00 |
|
|
Florian Roth
|
3a40ea79d3
|
fix: FPs noticed with Aurora
|
2022-02-22 08:52:51 +01:00 |
|
|
Florian Roth
|
921d46ca79
|
fix: FPs noticed with Aurora
|
2022-02-21 18:43:18 +01:00 |
|
|
Florian Roth
|
ab3f1f6e7d
|
refactor: extend values - sam rule
|
2022-02-16 16:59:32 +01:00 |
|
|
frack113
|
171edbd1bc
|
Merge pull request #2694 from frack113/Red_20220213
Windows Redcannary
|
2022-02-14 06:34:20 +01:00 |
|
|
frack113
|
f288134b41
|
Windows Redcannary
|
2022-02-13 11:04:00 +01:00 |
|
|
frack113
|
7e3c088165
|
Windows Redcannary
|
2022-02-12 15:53:13 +01:00 |
|
|
Florian Roth
|
891475dccb
|
Merge pull request #2684 from SigmaHQ/rule-devel
rules: SAM dump, suspicious program names, iso/img mount
|
2022-02-11 18:06:20 +01:00 |
|
|
Florian Roth
|
0476b8693d
|
refactor: extended .iso rule
|
2022-02-11 14:15:51 +01:00 |
|
|
Florian Roth
|
3fa2d13e10
|
rule: iso / img file mount
|
2022-02-11 12:37:35 +01:00 |
|
|
Florian Roth
|
8e255bfdaf
|
refactor: sam hive dump filename rule
|
2022-02-11 12:16:40 +01:00 |
|
|
Florian Roth
|
e6989f9efb
|
rules: samdumps, suspicious program names
|
2022-02-11 11:58:02 +01:00 |
|
|
phantinuss
|
43bae23f23
|
fix: several FPs against a fresh installed Windows with example applications and basic user interaction
|
2022-02-09 17:47:22 +01:00 |
|
|
Tim Shelton
|
913aac6695
|
allow fp from wbengine
|
2022-02-07 16:58:58 +00:00 |
|
|
Florian Roth
|
80a552d28d
|
refactor: lsass dump filename IOC pattern
|
2022-02-06 14:26:55 +01:00 |
|
|
Florian Roth
|
0d27cf9681
|
Merge pull request #2624 from SigmaHQ/rule-devel
Some TeamViewer rules
|
2022-01-31 16:38:58 +01:00 |
|
|
frack113
|
7ceb3968d8
|
Update file_event_susp_teamviewer_remote_session.yml
|
2022-01-31 06:24:02 +01:00 |
|
|
Florian Roth
|
c35973d6e7
|
rule: TeamViewer remote session
|
2022-01-30 22:26:13 +01:00 |
|
|
frack113
|
5b30db61b0
|
Add windows redcannary rules
|
2022-01-28 16:12:38 +01:00 |
|
|
frack113
|
f1959f25d7
|
Windows Redcannary
|
2022-01-23 16:37:59 +01:00 |
|
|
Florian Roth
|
7dabe5e7a8
|
Merge pull request #2591 from frack113/colorcpl
add win_fe_susp_colorcpl
|
2022-01-21 17:47:52 +01:00 |
|
|
frack113
|
97f4bda4bc
|
add win_fe_susp_colorcpl
|
2022-01-21 14:16:35 +01:00 |
|
|
frack113
|
eb22807ddc
|
Order rules
|
2022-01-20 22:06:55 +01:00 |
|
|
frack113
|
0ae1e37ac9
|
Merge pull request #2586 from phantinuss/master
fix: typo unkown --> unknown
|
2022-01-20 11:36:33 +01:00 |
|
|
phantinuss
|
26c1c23305
|
fix: typo
|
2022-01-20 10:45:30 +01:00 |
|
|
frack113
|
4631d0c482
|
remove invalid tag
|
2022-01-19 18:23:30 +01:00 |
|
|
frack113
|
5890c1bb20
|
Fix logsource
|
2022-01-16 08:56:51 +01:00 |
|
|
Florian Roth
|
5e20552e4e
|
Merge pull request #2550 from phantinuss/master
feat: check for the existence of a description field
|
2022-01-13 21:05:16 +01:00 |
|
|
Florian Roth
|
f9f5b1fe45
|
Merge pull request #2558 from SigmaHQ/rule-devel
A few more rules
|
2022-01-13 21:01:37 +01:00 |
|
|
phantinuss
|
b6d4e39538
|
feat: check for the existence of a description field
it is not mandatory in the sigma standard but
mandatory for this repository
|
2022-01-12 12:55:49 +01:00 |
|
|
Florian Roth
|
09aaec8ed2
|
rules: ntds.dit write, minimized msedge
|
2022-01-12 11:32:12 +01:00 |
|
|
frack113
|
7b77be3453
|
Fix condition
|
2022-01-11 20:51:57 +01:00 |
|
|
Florian Roth
|
430f561321
|
Merge pull request #2542 from redsand/new_cscript_wscript_dropper_using_file_event
New signature to detect cscript/wscript dropper using the sysmon file event
|
2022-01-11 17:59:48 +01:00 |
|
|
Tim Shelton
|
0d553a832b
|
updating condition per @frack113 preference
|
2022-01-11 14:59:47 +00:00 |
|
|
Florian Roth
|
11164849b3
|
Merge pull request #2543 from SigmaHQ/rule-devel
Several new rules and some fixes
|
2022-01-11 12:44:03 +01:00 |
|
|
Florian Roth
|
e055ec1d52
|
refactor: change all " of them" expressions
|
2022-01-11 10:59:57 +01:00 |
|