Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules Tuning #4702

Merged
merged 11 commits into from
Feb 12, 2024
Merged

Rules Tuning #4702

merged 11 commits into from
Feb 12, 2024

Conversation

nasbench
Copy link
Member

@nasbench nasbench commented Feb 1, 2024
edited
Loading

Summary of the Pull Request

This PR tune some false positives found in the wild as well as offer some updates to increase coverage of some rules.

Changelog

fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
remove: Suspicious Non-Browser Network Communication With Reddit API
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Update domains and filters
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains

Example Log Event

N/A

Fixed Issues

Fixes #4708 - Thanks @omaramin17

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Feb 1, 2024
@nasbench nasbench added the Work In Progress Some changes are needed label Feb 2, 2024
@nasbench nasbench marked this pull request as ready for review February 9, 2024 11:42
@nasbench nasbench mentioned this pull request Feb 9, 2024
Closed
@nasbench nasbench added 2nd Review Needed PR need a second approval and removed Work In Progress Some changes are needed labels Feb 9, 2024
@nasbench nasbench mentioned this pull request Feb 9, 2024
Merged
@nasbench
Copy link
Member Author

Merging this without a true 2nd review for release reasons. But it'll be reviewed later by @phantinuss

@nasbench nasbench merged commit 2acebc9 into SigmaHQ:master Feb 12, 2024
12 checks passed
@nasbench nasbench deleted the updates-feb branch March 11, 2024 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss Awaiting requested review from phantinuss

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adding new hosting sites to downloading rules
1 participant
@nasbench