Swachchhanda Shrawan Poudel
3201382785
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter fix: Remote Thread Creation By Uncommon Source Image - add several FP filter fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell fix: Use Short Name Path in Command Line - add filter for aurora fix: Suspicious Userinit Child Process - filter null Image fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Emerging Threats Rules
This folder contains rules that belongs to the "emerging-threats" category of SIGMA. This category aims to cover specific threats that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
The folder structure is split by year and every folder can contain two sub-folders
Exploits: Contains specific rules that cover exploitation of vulnerabilities.Malware: Contains specific rules that cover malware, ransomware and any type of suspicious software used by Threat Actors or malicious actorsTA: Contains specific rules that cover APT, Threat Actor and malware activities.