ff6384aabb
Merge pull request #3262 from redsand/improvement_add_additional_useragent
...
Feature improvement to add an additional known user agent seen in the…
2022-07-22 21:07:03 +02:00
8f36f332fc
Merge pull request #3264 from nasbench/persistence-methods
...
New Persistence Rules
2022-07-22 10:01:46 +02:00
d31c47e79a
exclude changes by legitimate programs
2022-07-22 08:15:42 +02:00
5cd2eaff99
Merge pull request #3260 from greg-workspace/master
...
Detect RipZip attack
2022-07-22 08:12:41 +02:00
eaa8167052
Fix FP
2022-07-21 22:23:11 +01:00
2d28590ec3
Update registry_set_sip_persistence.yml
2022-07-21 21:50:46 +01:00
16bcfd1c8b
Fix FP
2022-07-21 21:46:34 +01:00
4fa86ca772
Update registry_set_mpnotify_persistence.yml
2022-07-21 21:25:14 +01:00
f1673d13a6
Update proc_creation_win_susp_psexex_paexec_escalate_system.yml
2022-07-21 21:24:16 +01:00
ee2dd212a7
Update registry_set_ifilter_persistence.yml
2022-07-21 21:22:53 +01:00
4e9e5450eb
Update proc_creation_win_susp_psexex_paexec_escalate_system.yml
2022-07-21 21:20:25 +01:00
a949fecb1c
Persistence Rules
2022-07-21 21:13:10 +01:00
f71504fb3f
Merge pull request #3261 from SigmaHQ/rule-devel
...
Some rule improvements
2022-07-21 21:34:09 +02:00
3c015a9c78
Feature improvement to add an additional known user agent seen in the wild.
2022-07-21 19:28:10 +00:00
7858d5e841
Merge pull request #3244 from frack113/icacls_deny
...
Add proc_creation_win_icacls_deny
2022-07-21 18:19:51 +02:00
a906dd89cb
refactor: rewritten RipZip rule
2022-07-21 18:19:07 +02:00
9fb737612f
Merge branch 'master' into rule-devel
2022-07-21 18:16:34 +02:00
b3dd9f51f0
some rule improvements
2022-07-21 18:16:22 +02:00
63963a9014
Merge pull request #3254 from nasbench/cve_2022_33891
...
Create web_cve_2022_33891_spark_rce.yml
2022-07-21 18:13:39 +02:00
de4dd20a82
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 18:02:44 +02:00
aa79f4a5ee
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 15:34:11 +01:00
a0a318edfc
Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 15:17:48 +01:00
a46b20b78c
Update proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 14:42:54 +01:00
4d981fded8
Detect RipZip attack
2022-07-21 16:05:52 +08:00
de68fb244e
Merge pull request #3251 from nasbench/CVE-2014-6287
...
Create web_cve_2014_6287_hfs_rce.yml
2022-07-20 23:24:42 +02:00
289a3f3de3
Merge pull request #3253 from nasbench/susp-user-agents
...
Create web_susp_useragents.yml
2022-07-20 23:24:12 +02:00
4a709eeea0
Merge pull request #3258 from BlackB0lt/patch-29
...
Update proc_creation_win_lolbins_by_office_applications.yml
2022-07-20 23:22:02 +02:00
6bf8fc8c80
Merge pull request #3259 from redsand/fp_regsvr32_filter_box
...
False positive when box app uses regsvr32
2022-07-20 23:21:30 +02:00
21ca197337
Merge pull request #3256 from markoverholser/master
...
Fix issue with using `source:` on Zeek `files` log
2022-07-20 23:21:11 +02:00
3f6bbd0df9
False positive when box app uses regsvr32
2022-07-20 18:47:26 +00:00
cac84f2d29
Update proc_creation_win_lolbins_by_office_applications.yml
...
And control.exe reference from Splunk Detection
2022-07-20 19:53:53 +07:00
a8b283ba5f
Update
2022-07-20 13:40:24 +01:00
4c5929416a
Update web_cve_2014_6287_hfs_rce.yml
2022-07-20 13:26:19 +01:00
776b3ff99c
Update web_susp_useragents.yml
2022-07-20 14:21:41 +02:00
c107c27074
Update proc_creation_win_icacls_deny.yml
2022-07-20 14:05:06 +02:00
b3131a5a44
Merge pull request #3237 from frack113/fax
...
Fax service persistance
2022-07-20 14:03:56 +02:00
abe97c6ba8
Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm
...
False positive from amazon ssm agent updater connecting to local ip a…
2022-07-20 14:03:41 +02:00
bccaf9df12
Merge pull request #3257 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-07-20 14:01:51 +02:00
3286d16f3a
Merge branch 'master' into aurora-false-positive-fixing
2022-07-20 13:03:56 +02:00
634722c786
fix: FPs noticed with Aurora
2022-07-20 13:02:49 +02:00
2bea984f0a
fix: FPs with Rundll32 rule
2022-07-20 12:53:24 +02:00
381c26fd94
Fix issue with using source: on Zeek files log
...
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`
Commenting out line 407 fixes this.
2022-07-19 15:16:20 -05:00
06c9ba2730
Renamed File
2022-07-19 18:38:10 +01:00
32b028fb16
Create web_cve_2022_33891_spark_rce.yml
2022-07-19 17:15:14 +01:00
5edd024476
Merge pull request #3252 from frack113/yaml_fix
...
Add azure_aad_secops_new_ca_policy_addedby_bad_actor
2022-07-19 17:59:56 +02:00
595af48863
Create web_susp_useragents.yml
2022-07-19 16:26:28 +01:00
a3b1cdc158
Add azure_aad_secops_new_ca_policy_addedby_bad_actor
2022-07-19 17:19:37 +02:00
fd30a06112
Merge pull request #3240 from nasbench/uac-bypass-image-load
...
Iscsicpl UAC Bypass + Generic Rule
2022-07-19 16:38:34 +02:00
982038ebe3
Update web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:27:16 +01:00
8e5e71ea15
Create web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:17:16 +01:00
Florian Roth