 Florian Roth
|
a2031b7898
|
fix: condition with 1 of them
|
2022-03-05 12:39:04 +01:00 |
|
|
Florian Roth
|
2e2f4fbae5
|
Merge pull request #2773 from frack113/win11_office
Office Installation FP
|
2022-03-05 12:33:36 +01:00 |
|
|
Florian Roth
|
f07e1bb6f1
|
refactor: cobaltstrike beacon imphashes
|
2022-03-05 12:33:06 +01:00 |
|
|
frack113
|
b4de144862
|
Office Installation FP
|
2022-03-05 11:09:27 +01:00 |
|
|
Florian Roth
|
f3518f2521
|
rule: ntdll type redirect
|
2022-03-05 10:39:33 +01:00 |
|
|
Florian Roth
|
ec62ec6bbb
|
fix: values missed escaping
|
2022-03-05 10:39:15 +01:00 |
|
|
Florian Roth
|
9595cef06e
|
Merge pull request #2771 from SigmaHQ/rule-devel
Multiple adjustments in different rules
|
2022-03-05 09:57:12 +01:00 |
|
|
frack113
|
36e471dae6
|
Merge pull request #2767 from d4rk-d4nph3/master
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 20:59:35 +01:00 |
|
|
frack113
|
41f3db6e02
|
Merge pull request #2770 from frack113/fix_win11_fp
Fix FP new win11 installation
|
2022-03-04 20:57:06 +01:00 |
|
|
Florian Roth
|
8b29c2202c
|
rule: hacktool imphashes
|
2022-03-04 19:44:15 +01:00 |
|
|
Florian Roth
|
b90686251f
|
refactor: imphash adjustments
|
2022-03-04 19:43:58 +01:00 |
|
|
Florian Roth
|
85e2419436
|
fix: duplicate UUID
|
2022-03-04 17:12:31 +01:00 |
|
|
frack113
|
7922becd0b
|
Fix FP new install
|
2022-03-04 16:53:30 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
05a9a910f4
|
rule: PowerShell Defender base64 MpPreference
|
2022-03-04 16:34:37 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
phantinuss
|
6c4d0c601b
|
fix: FP with Windows Defender ATP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
4823d7943f
|
fix: exclude hotpotatoes FP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
df48b60cb4
|
fix: FP with Datev SQL Server
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
324dca618b
|
fix: filter variant with double quotes
|
2022-03-04 14:07:28 +01:00 |
|
|
Bhabesh
|
d14784510f
|
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 15:40:33 +05:45 |
|
|
frack113
|
743f0974f9
|
Merge pull request #2766 from frack113/office2019
OfficeClickToRun FP
|
2022-03-04 06:30:31 +01:00 |
|
|
frack113
|
ee5e85a422
|
Merge pull request #2765 from frack113/win11_FP
Fix Windows11-Office FP
|
2022-03-04 06:30:17 +01:00 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
frack113
|
ea2b6d8a08
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 20:10:55 +01:00 |
|
|
frack113
|
59067a72d2
|
OfficeClickToRun FP
|
2022-03-03 19:45:03 +01:00 |
|
|
frack113
|
cc956f7dbf
|
Fix Windows11-Office FP
|
2022-03-03 15:20:53 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
nNipsx
|
b43e37518e
|
update Author contribute
|
2022-03-03 14:34:13 +07:00 |
|
|
frack113
|
19ba2fe16c
|
Update posh_ps_detect_vm_env.yml
|
2022-03-03 08:12:01 +01:00 |
|
|
frack113
|
0649b5d6ea
|
Add proc_creation_win_fsutil_symlinkevaluation
|
2022-03-03 06:27:36 +01:00 |
|
|
frack113
|
53651cdd2f
|
Add Bits-Client rules
|
2022-03-03 06:27:00 +01:00 |
|
|
nNipsx
|
f57bb708bb
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 11:04:26 +07:00 |
|
|
Tim Shelton
|
cffc027c33
|
fixing format
|
2022-03-02 17:35:41 +00:00 |
|
|
Tim Shelton
|
9c6fb23480
|
fixing field names
|
2022-03-02 17:33:09 +00:00 |
|
|
Tim Shelton
|
8e35e2adc7
|
Adding false positive filters for tenable nessus and amazon workspace
|
2022-03-02 17:19:57 +00:00 |
|
|
Florian Roth
|
071bcc2923
|
Merge pull request #2761 from SigmaHQ/rule-devel
Minor changes, new PS downloader strings
|
2022-03-02 17:47:11 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
phantinuss
|
952fb07d59
|
fix: remove Aurora filter out, no longer needed
|
2022-03-02 11:14:01 +01:00 |
|
|
Florian Roth
|
5e76089044
|
refactor: additional strings in powershell downloader rule
|
2022-03-02 11:01:28 +01:00 |
|
|
phantinuss
|
3701bdfdbf
|
new rules: Base64 encoded keywords detected by Raccine
|
2022-03-02 10:37:36 +01:00 |
|
|
phantinuss
|
c2a583a950
|
fix: exclude more Teams Addin variants
|
2022-03-02 10:36:07 +01:00 |
|
|
Florian Roth
|
1435171490
|
docs: minor changes to rules
|
2022-03-01 16:02:22 +01:00 |
|
|
phantinuss
|
81e3c105d2
|
fix: trigger also by selection3
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
b1fc8b3641
|
fix: Image casing
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
3c5535ae41
|
fix: triggering on legitimate diskpart.exe usage
|
2022-02-28 17:50:30 +01:00 |
|
|
Florian Roth
|
313b4d7ca9
|
rule: PowerShell downloader patterns
|
2022-02-28 14:42:56 +01:00 |
|
|
Florian Roth
|
25b414ea09
|
refactor: separating Outlook.exe from other Office processes
|
2022-02-28 13:12:46 +01:00 |
|
|
Florian Roth
|
1eedcc3659
|
fix: FPs with MalwareBytes software
|
2022-02-27 19:01:39 +01:00 |
|
|
frack113
|
7fb8272f94
|
Name Normalization
Name Normalization
|
2022-02-27 10:58:14 +01:00 |
|