-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rules Tuning #4702
Merged
Merged
Rules Tuning #4702
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merging this without a true 2nd review for release reasons. But it'll be reviewed later by @phantinuss |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2nd Review Needed
PR need a second approval
Rules
Windows
Pull request add/update windows related rules
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
This PR tune some false positives found in the wild as well as offer some updates to increase coverage of some rules.
Changelog
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
remove: Suspicious Non-Browser Network Communication With Reddit API
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Update domains and filters
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains
Example Log Event
N/A
Fixed Issues
Fixes #4708 - Thanks @omaramin17
SigmaHQ Rule Creation Conventions