 Florian Roth
|
8aec4e6d9e
|
Merge pull request #2462 from Karneades/patch-1
Move winrm rule to process creation
|
2021-12-17 23:57:53 +01:00 |
|
|
Florian Roth
|
4cdb23598f
|
Merge branch 'master' into master
|
2021-12-17 17:46:05 +01:00 |
|
|
Andreas Hunkeler
|
55c83e31c2
|
rule: add new rule for java spawning suspicious binaries
|
2021-12-17 17:40:38 +01:00 |
|
|
Andreas Hunkeler
|
9ecacdaeea
|
Move winrm rule to process creation
|
2021-12-17 17:31:06 +01:00 |
|
|
Florian Roth
|
a7b1ab0073
|
fix: bug in rule
|
2021-12-17 16:30:37 +01:00 |
|
|
Florian Roth
|
d0d9e74313
|
fix: FP noticed with Aurora
|
2021-12-17 12:32:48 +01:00 |
|
|
Florian Roth
|
a3220ab72b
|
Merge branch 'master' into aurora-false-positive-fixing
|
2021-12-17 12:32:14 +01:00 |
|
|
Florian Roth
|
c7c4130c04
|
Update sysmon_alternate_powershell_hosts_pipe.yml
|
2021-12-17 12:31:08 +01:00 |
|
|
phantinuss
|
1c789bd080
|
fix: FP in Aviar installer
|
2021-12-17 09:20:21 +01:00 |
|
|
frack113
|
ab450e5782
|
Merge pull request #2458 from frack113/redcanary_20211216
Windows Redcanary T1518.001 discovery
|
2021-12-16 22:47:23 +01:00 |
|
|
frack113
|
4db3b63527
|
Merge pull request #2457 from frack113/aurora_fp_update
Aurora fp update
|
2021-12-16 22:45:47 +01:00 |
|
|
frack113
|
b368d036cf
|
change level to medium
|
2021-12-16 22:44:45 +01:00 |
|
|
Florian Roth
|
d88f6b2208
|
Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing
fix: FPs noticed with Aurora
|
2021-12-16 20:34:30 +01:00 |
|
|
Florian Roth
|
84e5d60bbc
|
fix: FPs noticed with Aurora
|
2021-12-16 19:54:22 +01:00 |
|
|
frack113
|
605ec35109
|
fix space
|
2021-12-16 10:41:07 +01:00 |
|
|
frack113
|
d7e9dccdbe
|
Windows redcannary
|
2021-12-16 10:32:45 +01:00 |
|
|
frack113
|
73ee94d46b
|
Fix aurora FP
|
2021-12-16 09:50:28 +01:00 |
|
|
frack113
|
372023d3c0
|
Fix aurora FP
|
2021-12-16 09:45:50 +01:00 |
|
|
frack113
|
426d8193ad
|
Windows redcannary
|
2021-12-15 19:36:16 +01:00 |
|
|
frack113
|
4f866f8da3
|
fix detection
|
2021-12-15 10:04:37 +01:00 |
|
|
frack113
|
8908c4ca8e
|
Add win_vul_cve_2021_42278_or_cve_2021_42287
|
2021-12-15 09:32:39 +01:00 |
|
|
frack113
|
93c5d8b361
|
Add win_vul_cve_2021_42278_or_cve_2021-42287
|
2021-12-15 09:24:23 +01:00 |
|
|
Max Altgelt
|
7fea25085f
|
fix: correct FP filter
|
2021-12-14 16:03:50 +01:00 |
|
|
frack113
|
c4f4397174
|
Merge pull request #2451 from frack113/aurora_fp
Fix FP
|
2021-12-14 09:32:51 +01:00 |
|
|
frack113
|
e100668ecf
|
Merge pull request #2450 from frack113/redcannary
Windows redcannary
|
2021-12-14 09:31:51 +01:00 |
|
|
frack113
|
ac28a89258
|
Merge pull request #2448 from frack113/T1217
Windows redcannay T1217
|
2021-12-14 09:31:32 +01:00 |
|
|
frack113
|
0dc0fe5903
|
Fix FP
|
2021-12-13 20:19:15 +01:00 |
|
|
frack113
|
f8d4d23be5
|
Windows redcannary
|
2021-12-13 18:52:17 +01:00 |
|
|
Florian Roth
|
3a30d19cfd
|
Merge pull request #2447 from SigmaHQ/rule-devel
fix: FP with proc creation Image non .exe suffix
|
2021-12-13 14:03:41 +01:00 |
|
|
frack113
|
37f1938a4a
|
Rename powershell_ps_get_childitem_bookmarks
|
2021-12-13 12:04:00 +01:00 |
|
|
Florian Roth
|
cd63ce23ff
|
fix: FP with proc creation Image non .exe suffix
|
2021-12-13 11:44:29 +01:00 |
|
|
frack113
|
6115eeda62
|
windows redcanary t1217
|
2021-12-13 11:02:33 +01:00 |
|
|
frack113
|
c358747cb2
|
Merge pull request #2439 from frack113/T1069_001
Windows Redcannary T1069 001
|
2021-12-13 09:24:08 +01:00 |
|
|
Florian Roth
|
2f43e6815b
|
Merge pull request #2440 from SigmaHQ/aurora-false-positive-fixing
fix: FPs noticed with Aurora
|
2021-12-12 14:20:09 +01:00 |
|
|
Florian Roth
|
c6819861c9
|
fix: FPs noticed with Aurora
|
2021-12-12 13:09:27 +01:00 |
|
|
frack113
|
97580d4fa1
|
fix space
|
2021-12-12 12:25:05 +01:00 |
|
|
frack113
|
221f479825
|
Windows Redcannay T1069.001
|
2021-12-12 12:15:27 +01:00 |
|
|
frack113
|
f956cd0c14
|
Merge pull request #2435 from redsand/fp_cylance_adsi_cache
Adding allow for cylance when detecting adsi cache abuse
|
2021-12-12 12:08:25 +01:00 |
|
|
frack113
|
12e7174a04
|
Update sysmon_susp_adsi_cache_usage.yml
|
2021-12-12 11:29:44 +01:00 |
|
|
frack113
|
d45dc2eaf3
|
Merge pull request #2434 from frack113/T1049
Windows T1049 RedCannary
|
2021-12-12 11:28:23 +01:00 |
|
|
Tim Shelton
|
e7e456d1a5
|
Adding allow for cylance
|
2021-12-11 19:23:12 +00:00 |
|
|
Florian Roth
|
074c6b1714
|
Merge pull request #2423 from redsand/detect_net_use_password_plaintext
Detect net use password plaintext
|
2021-12-11 15:25:06 +01:00 |
|
|
frack113
|
2b6c8ff02c
|
Merge pull request #2431 from frack113/ft_aurora
FP perfmon.exe to sysmon_cred_dump_lsass_access.yml
|
2021-12-11 12:29:12 +01:00 |
|
|
frack113
|
c91a4a1a75
|
Merge pull request #2430 from frack113/windows_t1046
Add windows t1046 rules
|
2021-12-11 12:28:47 +01:00 |
|
|
frack113
|
c53740296c
|
Fix title
|
2021-12-11 10:26:47 +01:00 |
|
|
frack113
|
dc1af19336
|
Add win_pc_susp_tasklist_command
|
2021-12-11 10:20:21 +01:00 |
|
|
frack113
|
ee67779811
|
Windows T1049 RedCannary
|
2021-12-11 09:38:20 +01:00 |
|
|
frack113
|
58063d1113
|
FP add perfmon.exe
|
2021-12-10 19:19:55 +01:00 |
|
|
Tim Shelton
|
b41471ed6b
|
adds space to detect between : (drive argument) and \\ (network share path)
|
2021-12-10 18:10:37 +00:00 |
|
|
frack113
|
904fb9181e
|
Add windows t1046 rules
|
2021-12-10 16:31:16 +01:00 |
|