a1cb805913
Adding filter for java tasktop
2022-03-17 17:23:06 +00:00
829409d29a
Redcannary
2022-03-17 16:48:41 +01:00
becf3baeb4
Merge pull request #2813 from phantinuss/master
...
Changes to falsepositives metadata
2022-03-17 14:31:27 +01:00
6da13f19a6
fix registry FP
2022-03-17 14:26:12 +01:00
55afc660ea
Merge pull request #2817 from FortiSIEM/master
...
Support FortiSIEM
2022-03-16 22:45:39 +01:00
c37ae60cff
Merge branch 'master' into master
2022-03-16 16:29:34 -05:00
c4f6fedb46
Merge pull request #2816 from redsand/fp_antivirus_symantec_file_print_driver
...
Filtering of symantec submission for analysis
2022-03-16 22:29:00 +01:00
6d6e69b672
Merge pull request #2818 from redsand/hawk_publish
...
Merging latest changes for HAWK.IO
2022-03-16 22:28:28 +01:00
3c864286be
Update fortisiem-windows.yml
...
Removed duplicate title
2022-03-16 16:14:38 -05:00
eefd026037
Merging latest changes for HAWK.IO
2022-03-16 20:26:49 +00:00
c58f3d0351
Filtering of symantec submission for analysis
2022-03-16 19:07:15 +00:00
1ab03bd9f8
Merge pull request #2815 from SigmaHQ/rule-devel
...
rule: remote thread creation, rule: get-addbaccount
2022-03-16 18:47:03 +01:00
bd8306cd28
Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing
...
fix: sadly still too many fps with this rule
2022-03-16 18:15:23 +01:00
bb7efbc544
Merge pull request #1 from AccelOps/master
...
Merge Code from AccelOps sigma
2022-03-16 10:08:58 -07:00
37ef85ffa6
Merge pull request #1 from FortiSIEM/master
...
Merge code to FortiSIEM from AccelOps
2022-03-16 10:02:23 -07:00
39811e1405
refactor: uppercase values, DropLoader imphash
2022-03-16 17:56:55 +01:00
16cac67751
fix: indentation
2022-03-16 15:35:54 +01:00
426b3a0906
Merge pull request #2796 from d4rk-d4nph3/master
...
Added rule for shellcode injection by Metasploit and Empire
2022-03-16 15:34:03 +01:00
141355a8b8
Merge pull request #2811 from pljoel/tools-mitre-v10
...
Update MITRE ATT&CK tools to v10.1 with Groups and Software
2022-03-16 15:32:48 +01:00
4445ea6baf
fix: sadly still too many fps with this rule
2022-03-16 15:21:27 +01:00
1099c5630e
rule: remote thread creation, get-addbaccount
2022-03-16 15:21:01 +01:00
043747822f
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
6ae28b7a1c
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
84d0c472ba
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
8d3f8acb60
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
9b82e099a3
fix: unlikely --> Unlikely
2022-03-16 14:16:10 +01:00
4585133325
fix: remove penetration testing as a valid false positive
2022-03-16 13:51:26 +01:00
b23eee6ebf
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
7177e32e5e
fix: issues with new sources in old THOR versions
2022-03-16 12:52:15 +01:00
8acf6431f5
Merge pull request #2809 from SigmaHQ/rule-devel
...
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
2022-03-16 11:25:10 +01:00
4d2a4b74cd
Merge pull request #2808 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-03-16 09:58:21 +01:00
0e1945beaa
refactor: rar usage w password & compression level
2022-03-16 09:57:45 +01:00
761e1a3dd9
Merge pull request #2812 from SigmaHQ/pysigma-tests
...
Replaced sigmatools tests with sigma-cli check
2022-03-16 07:56:01 +01:00
125359cfbc
Merge pull request #2810 from SigmaHQ/fix
...
Fixes
2022-03-16 07:29:24 +01:00
d1afed9f66
Update MITRE ATT&CK tactics and techniques to v10.1. Added fields. Created files for groups and software.
2022-03-15 22:41:46 -04:00
2d44696464
Replaced sigmatools tests with sigma-cli check
2022-03-16 00:19:16 +01:00
dd9b41453b
Fixed faulty optimization by removal
...
Fixes #2806
2022-03-15 23:55:13 +01:00
f022b087e0
Fixed date format in rule
2022-03-15 23:31:14 +01:00
d559847b05
Merge pull request #2807 from pH-T/master
...
New Rule: Scheduled Task Executing Powershell Encoded Payload from Registry
2022-03-15 18:33:20 +01:00
c818e00fc2
Merge branch 'master' into aurora-false-positive-fixing
2022-03-15 18:07:13 +01:00
b2cdb92b11
fix: FPs with THOR
2022-03-15 18:05:42 +01:00
a10561e084
ncat pattern
2022-03-15 18:05:13 +01:00
306bb438e3
CrackMapExec patterns
2022-03-15 18:05:04 +01:00
87600161bf
new rule from thedfirreport.com
2022-03-15 16:39:12 +01:00
3b09f1c9da
new rule from thedfirreport.com
2022-03-15 16:38:27 +01:00
20125d87c2
new rule from thedfirreport.com
2022-03-15 16:36:57 +01:00
df0d93baa0
Merge pull request #2805 from ionsor/patch-4
...
Update win_dcsync.yml
2022-03-15 16:02:17 +01:00
dd5e10c2f5
Merge pull request #2803 from redsand/fp_remote_powershell_valid_call_ms_archive
...
FP on valid remote call of Powershell Archive.psm1, maybe beneficial …
2022-03-15 12:53:40 +01:00
f2e7d60b9c
Merge pull request #2804 from secDre4mer/master
...
feat: Add log sources for process listing within THOR
2022-03-15 12:53:08 +01:00
8014c477cd
Update win_dcsync.yml
...
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
2022-03-15 12:37:07 +01:00
Tim Shelton