95793d73bd
Merge PR #4482 From @nasbench - Add New Automation Workflows
...
chore: update workflows and add quality of life updates and automation to the repository
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-10-18 11:53:44 +02:00
79bce2c04e
Merge PR #4484 From @phantinuss - Fix FP Found In Testing
...
fix: Direct Syscall of NtOpenProcess - falsepositives meta data
fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
2023-10-17 17:01:34 +02:00
020fc8061f
Merge PR #4479 From @frack113 - Upgrade Rules Status
...
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-10-17 14:35:26 +02:00
2f9b90584c
Merge PR #4476 From @phantinuss - Fix False Positives Found In Testing
...
fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
fix: Control Panel Items - FP with command line observed from taskhost.exe
fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - FP with Avira update utility
fix: Execution of Suspicious File Type Extension - FP with OpenOffice
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-10-12 12:47:45 +02:00
cda0fbff62
fix:F multiple 404 links in references ( #4332 )
2023-06-26 10:10:04 +01:00
6c4408ddff
chore: fix typo of lowercase Windows in description
2023-06-21 09:52:43 +02:00
73c8c9d0a7
fix: rule using old wildcard char
2023-05-18 12:30:29 +02:00
bbf1e54510
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-05-09 16:04:24 +02:00
6f659d1c1a
fix: fp found in testing
2023-05-05 12:24:54 +02:00
adb0a1ce1d
fix: typo in field
2023-04-26 13:22:01 +02:00
d024f971de
fix: apply suggestions from code review
2023-04-25 11:18:59 +02:00
ab6f4848ff
fix: FP found in testing environment
2023-04-25 11:07:41 +02:00
2710bf4710
feat: new rules, updates and fp fixes ( #4162 )
2023-04-11 13:04:22 +02:00
3d9372bef3
feat: new rules, updates and fp fixes ( #4136 )
2023-04-03 12:06:14 +02:00
07956e26e9
fix: remove version number
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-03-23 12:11:29 +01:00
0ccef7822e
fix: fp found in testing
2023-03-22 20:31:33 +01:00
d36f7e9819
fix: fp found in testing
2023-03-14 23:58:04 +01:00
31a5c08480
fix: reduce author set
2023-02-01 14:34:46 +01:00
7c38a5c496
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
e6c155442f
feat: multiple updates and enhancements
2023-01-30 20:02:45 +01:00
5087b95155
Merge remote-tracking branch 'upstream/master' into pormotion_status
2023-01-27 11:29:27 +01:00
1033b3f404
change status to test
2023-01-27 06:48:34 +01:00
725c5ba420
fix: fp found in testing
2023-01-25 16:54:11 +01:00
d2575eff64
fix: fp with lsass access rule
...
- Add new filters
- Reorder and rename some filter for clarity
2023-01-25 13:08:20 +01:00
690af599ba
fix: fp with invoke patchingapi rule
2023-01-25 12:54:29 +01:00
231e87e316
fix: FP in testing environment
2023-01-23 12:05:28 +01:00
ef0c3d35c4
fix: filter fp found in testing
2023-01-20 11:39:08 +01:00
df6d6107fc
fix: FP found in testing environment
2023-01-19 16:49:12 +01:00
02e4a5112d
fix: fp found in testing
2023-01-18 18:41:07 +01:00
f4d4526d0f
fix: fp found in testing
2023-01-11 20:05:55 +01:00
b0e3bb5d28
fix: broken condition
2023-01-10 00:33:38 +01:00
81f75c1d2e
feat: updates and enhancements
2023-01-10 00:13:37 +01:00
f08f3706f7
Update proc_access_win_invoke_patchingapi.yml
2023-01-07 13:04:57 +01:00
69dbdc2a34
fix: apply suggestions from code review
2023-01-07 13:03:21 +01:00
24264407d9
Update detection
2023-01-07 12:32:27 +01:00
4dbfebf65c
Add proc_access_win_invoke_patchingapi
2023-01-07 10:35:28 +01:00
1ab7324ca0
fix: remove unneeded double backslash escape ( #3844 )
2022-12-31 08:32:46 +01:00
07cc91719c
fix: enhance selection
2022-12-29 17:14:21 +01:00
bc5ed3e453
fix: Discord FP
2022-12-28 20:39:26 +01:00
737eacc671
Merge branch 'master' into aurora-false-positive-fixing
2022-12-28 13:28:56 +01:00
9ea8b2e2c1
fix: Discord FP
2022-12-28 13:28:45 +01:00
03cc78e916
feat: filename test enhancements ( #3812 )
2022-12-23 09:25:16 +01:00
7679d05706
fix: fp found in testing exchange server
2022-12-20 13:23:32 +01:00
646351808e
Refractor ( #3794 )
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-18 21:00:14 +01:00
3868dd91c6
feat: updates and enhancements
2022-12-16 16:52:12 +01:00
2b769fcfc8
fix: missing modified date update
2022-12-05 19:58:10 +01:00
1796502b90
fix: FPs noticed in Nextron testing CI
2022-12-05 17:39:42 +01:00
11ce8a1e5b
fix: deprecate 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
2022-11-15 22:56:51 +01:00
0fb1295157
fix: FPs noticed with Aurora
2022-11-13 20:26:03 +01:00
bd30f75335
Update proc_access_win_in_memory_assembly_execution.yml
2022-11-03 11:19:09 +01:00
Nasreddine Bencherchali