Florian Roth
|
a29ac79a3f
|
refactor: extended comsvcs.dll MiniDump rule
|
2021-04-23 16:46:04 +02:00 |
|
Florian Roth
|
6f12a1b099
|
docs: FPs and changed level
|
2021-04-23 16:45:52 +02:00 |
|
Florian Roth
|
1333a95c51
|
rule: get-process lsass
|
2021-04-23 16:44:53 +02:00 |
|
Florian Roth
|
85582c540e
|
docs: changed modification date
|
2021-04-23 14:55:04 +02:00 |
|
Florian Roth
|
ce03ca9485
|
fix: Jitter keyword prone to FPs
|
2021-04-23 14:54:32 +02:00 |
|
Florian Roth
|
6256261d0e
|
fix: FPs with Certutil and McAfee Chromium Container
|
2021-04-23 12:49:16 +02:00 |
|
Florian Roth
|
d5e88d369c
|
fix: fixed rule title
|
2021-04-23 09:51:31 +02:00 |
|
Florian Roth
|
b447e6338f
|
rule: Export-PfxCertificate
|
2021-04-23 09:01:14 +02:00 |
|
Florian Roth
|
53c6a7c54e
|
refactor: tightened filter
|
2021-04-19 09:30:32 +02:00 |
|
Florian Roth
|
897da252f1
|
fix: missing new line placeholder escape
|
2021-04-09 16:45:07 +02:00 |
|
Florian Roth
|
65a11dde52
|
fix: rules causing too many false positives
|
2021-04-09 15:55:14 +02:00 |
|
Vasiliy Burov
|
e73e27e44f
|
Update win_hack_rubeus.yml
Added commandline parameters for constrained delegation abuse and for hashes calculation
|
2021-04-06 20:18:54 +03:00 |
|
Thomas Patzke
|
d1de168295
|
Merge branch 'oscd'
|
2021-04-06 00:05:35 +02:00 |
|
Thomas Patzke
|
b1b0240692
|
Fixes
|
2021-04-03 23:21:13 +02:00 |
|
Thomas Patzke
|
90efe974b8
|
Fixes and improvements
|
2021-04-03 00:08:55 +02:00 |
|
phantinuss
|
4934f80601
|
fix: FP tuning for IIS Express and making use of value modifiers
|
2021-04-01 14:37:20 +02:00 |
|
phantinuss
|
8b4234de3b
|
refactor: make use of value modifiers
|
2021-04-01 14:37:17 +02:00 |
|
phantinuss
|
794865c79d
|
fix: adding filter to condition and reintroducing the users folder constraint
|
2021-04-01 14:37:17 +02:00 |
|
phantinuss
|
43be8c8cba
|
refactor: make use of value modifiers
|
2021-04-01 14:37:16 +02:00 |
|
phantinuss
|
bd5ba2ae01
|
fix: adding only as a known false positive as it cannot be filtered out in a generic and public way
|
2021-04-01 14:37:15 +02:00 |
|
phantinuss
|
65bc62d401
|
fix: adding filter out for CamMute.exe
|
2021-04-01 14:37:14 +02:00 |
|
phantinuss
|
2cab121c71
|
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap
|
2021-04-01 14:37:13 +02:00 |
|
phantinuss
|
109b7890db
|
fix: taking windows security 4688 events into account for filter out
|
2021-04-01 14:36:57 +02:00 |
|
Florian Roth
|
b296c643de
|
Merge pull request #1346 from blueteam0ps/patch-3
Added win_ad_find_discovery.yml
|
2021-03-29 11:20:49 +02:00 |
|
BlueTeamOps
|
6ef5f0a0a2
|
Added detection for Dumpert
-Dumpert based LSASS dump using DLL
-Dumpert.exe detection
|
2021-03-27 07:34:05 +11:00 |
|
BlueTeamOps
|
8916459bab
|
Added additional CS signatures
|
2021-03-25 22:44:24 +11:00 |
|
Florian Roth
|
48265ad71a
|
Merge pull request #1398 from SigmaHQ/rule-devel
MSExchange Management log mapping, some fixes
|
2021-03-20 17:21:31 +01:00 |
|
Florian Roth
|
525f4b6a6b
|
Merge pull request #1388 from Cyb3rPandaH/master
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
|
2021-03-20 08:53:04 +01:00 |
|
Florian Roth
|
e47ee24889
|
Merge branch 'master' into rule-devel
|
2021-03-20 08:52:55 +01:00 |
|
Florian Roth
|
334dd9a058
|
Update win_set_oabvirtualdirectory_externalurl.yml
|
2021-03-20 08:34:02 +01:00 |
|
Florian Roth
|
33af006479
|
Merge pull request #1389 from ZikyHD/patch_win_susp_wuauclt
Fix ProcessCommandLine field
|
2021-03-20 08:29:23 +01:00 |
|
Florian Roth
|
01fcfd4f76
|
Merge pull request #1390 from ZikyHD/patch_win_proc_wrong_parent
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
|
2021-03-20 08:29:09 +01:00 |
|
Florian Roth
|
2472926c48
|
Merge pull request #1391 from ZikyHD/patch_win_etw_trace_evasion
Fix win_etw_trace_evasion rule
|
2021-03-20 08:28:51 +01:00 |
|
Florian Roth
|
dd4a1ac393
|
fix: prone to FPs - use is unclear
https://regex101.com/r/tss5TZ/1
|
2021-03-18 16:44:49 +01:00 |
|
Florian Roth
|
6b2bcd3d87
|
Merge pull request #1395 from SigmaHQ/rule-devel
Rule devel
|
2021-03-18 10:52:02 +01:00 |
|
Florian Roth
|
d30e87d543
|
fix: lsass access - FPs with AV / EDR software
|
2021-03-18 09:04:03 +01:00 |
|
Florian Roth
|
92510e2507
|
extended Exchange post-exploitation rule
|
2021-03-17 18:01:45 +01:00 |
|
Florian Roth
|
943f8513e2
|
Merge pull request #1393 from SigmaHQ/rule-devel
Rule devel
|
2021-03-16 16:35:55 +01:00 |
|
Florian Roth
|
bfc99996b5
|
fix: Bug in rule condition
|
2021-03-16 16:35:21 +01:00 |
|
Florian Roth
|
32adf0c3ce
|
fix: prone to FPs
|
2021-03-16 15:52:35 +01:00 |
|
zikyhd
|
e91822e070
|
Fix win_etw_trace_evasion rule
|
2021-03-15 15:02:18 +01:00 |
|
Cedric HIEN
|
864973888e
|
Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)
|
2021-03-15 12:07:05 +01:00 |
|
Cedric HIEN
|
e4f24f4e1f
|
Fix ProcessCommandLine field
|
2021-03-15 11:56:19 +01:00 |
|
Florian Roth
|
310888bae7
|
Merge pull request #1386 from SigmaHQ/rule-devel
Rule devel
|
2021-03-15 10:52:57 +01:00 |
|
Florian Roth
|
70f9480ec5
|
fix: wrong field name
|
2021-03-15 08:14:43 +01:00 |
|
Cyb3rPandaH
|
f138a27426
|
CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
|
2021-03-15 00:33:47 -04:00 |
|
Florian Roth
|
a0b034aa2b
|
fix: better exclusion
|
2021-03-13 09:09:43 +01:00 |
|
Florian Roth
|
145c3bc2ca
|
refactor: more hafnium indicators
|
2021-03-13 09:07:58 +01:00 |
|
Florian Roth
|
69ee1cece2
|
fix: FPs
|
2021-03-13 09:07:44 +01:00 |
|
Florian Roth
|
48da4e1314
|
Update win_apt_hafnium.yml
|
2021-03-11 13:55:31 +01:00 |
|