security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

146 Commits

Author SHA1 Message Date
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 97207bdf81 Merge branch 'master' into aurora-false-positive-fixing 2021-11-27 09:22:15 +01:00
Florian Roth 0ad9f9a859 fix: FPs noticed with Aurora 2021-11-27 09:13:53 +01:00
Florian Roth a832b8ffb9 refactor: changed filter to be more explicit 2021-11-27 08:53:05 +01:00
Florian Roth 1702c057c6 Merge branch 'master' into rule-devel 2021-11-26 20:02:40 +01:00
Florian Roth 03cddbba29 fix: FPs 2021-11-26 20:00:55 +01:00
Florian Roth d91b925873 fix: FPs 2021-11-26 14:42:21 +01:00
Florian Roth a6c9a8772c Merge branch 'master' into aurora-false-positive-fixing 2021-11-26 00:09:09 +01:00
Florian Roth 11fc576103 fix: FPs with rules 2021-11-25 19:04:27 +01:00
phantinuss 979a00c2f4 fix: FPs found with Aurora 2021-11-25 15:36:08 +01:00
Florian Roth f60e8e5d17 fix: more false positive filters 2021-11-24 16:58:53 +01:00
Florian Roth fd6e3bb572 fix: dbghelp/dbgcore DLL load FP 2021-11-24 13:47:30 +01:00
Florian Roth 88cc418b98 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-24 13:42:00 +01:00
Florian Roth 37b445d3bb fix: FPs that only show up in Aurora 
Sysmon configs are often too restricted
 2021-11-24 00:27:43 +01:00
Florian Roth f1c31bda02 fix: FPs noticed in Suspicious System.Drawing Load 2021-11-23 12:33:11 +01:00
Florian Roth 614046c241 fix: missing filter in condition 2021-11-23 09:37:20 +01:00
Florian Roth e778372d1f Merge pull request #2295 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 15:19:05 +01:00
Florian Roth d5eff9ef6d fix: FP with In-memory PowerShell rule and Visual Studio 2021-11-22 13:45:31 +01:00
Florian Roth 145d05e756 Merge pull request #2294 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Aurora
 2021-11-22 13:30:07 +01:00
Florian Roth db03d08b11 Merge pull request #2293 from SigmaHQ/rule-devel 
fix: 0x1000 access on LSASS, rule: new LSASS access, rule: CVE-2021-41379
 2021-11-22 13:29:31 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth 0da02fbc46 fix: image_load in sysmon doesn't contain a command line 2021-11-20 19:58:21 +01:00
Florian Roth ed4e771700 Merge pull request #2287 from frack113/tags 
Add missing Mitre Techniques Tags for windows rules
 2021-11-20 15:38:25 +01:00
Florian Roth dfbaadf932 fix: FPs - extended filter 2021-11-20 13:01:24 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
Florian Roth 5b8b622658 fix: too many false positives with WMI Modules Loaded 2021-11-20 11:54:19 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00
Florian Roth 86f7c2b9f9 fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00
Florian Roth 23220e7d78 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-17 19:00:06 +01:00
Florian Roth c71d9dba89 fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00
frack113 0605a1c64e add WMIC.exe 2021-11-17 16:37:27 +01:00
Florian Roth dcfc9d562e fix: more false positives 2021-11-17 10:27:02 +01:00
Florian Roth 7d4e3fd2ed fix: more false positive fixes 2021-11-16 23:27:00 +01:00
Florian Roth 8d6d8c2c92 fix: several FPs 2021-11-16 17:30:23 +01:00
Florian Roth d29c353718 refactor: unnecessary filter 2021-11-16 13:47:41 +01:00
Florian Roth daff947d4b refactor: fixes without CommandLine field in ImageLoad events 2021-11-16 13:46:15 +01:00
Florian Roth 5e14b73b9c fix: FP with logman.exe 2021-11-16 13:39:32 +01:00
Florian Roth 2383b2b76b fix: problem with empty string 2021-11-16 13:33:00 +01:00
Florian Roth 98073049ba fix: FPs with Load of dbghelp/dbgcore DLL from Suspicious Process 2021-11-16 13:11:11 +01:00
Florian Roth 2448691ad0 fix: FPs 2021-11-16 13:04:52 +01:00
Tim Shelton a1c85108fa Updating author and date modified 2021-11-11 20:37:34 +00:00
Tim Shelton 9b469f21a2 adds microsoft sql server mgmt studio to allow list, along with note 2021-11-10 17:38:15 +00:00
Tim Shelton dda204bd51 updating yaml 2021-11-04 18:56:07 +00:00
Tim Shelton e266491f0a adding obsoletes tags 2021-11-04 18:36:55 +00:00
Tim Shelton 1ae596b634 removing rule 867613fb-fa60-4497-a017-a82df74a172c . this is a duplicate of 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f and does not contain an allow list of known processes. 2021-11-04 17:07:00 +00:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 fd329f4f9b Remove unneeded EventID 2021-10-04 21:25:57 +02:00
Florian Roth 4161cd909f docs: changed description 2021-09-27 23:12:18 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00