security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

94 Commits

Author SHA1 Message Date
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
Florian Roth 97207bdf81 Merge branch 'master' into aurora-false-positive-fixing 2021-11-27 09:22:15 +01:00
Florian Roth 0ad9f9a859 fix: FPs noticed with Aurora 2021-11-27 09:13:53 +01:00
Florian Roth 11b8ccfe8f Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-26 20:47:22 +01:00
Florian Roth eae38d08f0 fix: FPs 2021-11-26 20:46:52 +01:00
Florian Roth 1702c057c6 Merge branch 'master' into rule-devel 2021-11-26 20:02:40 +01:00
Florian Roth 03cddbba29 fix: FPs 2021-11-26 20:00:55 +01:00
Florian Roth f60e8e5d17 fix: more false positive filters 2021-11-24 16:58:53 +01:00
Florian Roth f2585f44da fix: bug in filter 2021-11-22 21:30:19 +01:00
Florian Roth 7468d495ff fix: FP with LSASS access rule 2021-11-22 21:29:21 +01:00
Florian Roth 8fc93d3340 refactor: generic lsass access filter 2021-11-22 15:05:56 +01:00
Florian Roth ff6bb3acea extended filters and descriptions 2021-11-22 14:01:30 +01:00
Florian Roth 37ff832fda fix: FPs with LSASS access rule 2021-11-22 13:43:20 +01:00
Florian Roth cda13acc83 Revert "refactor: add another flag set" 
This reverts commit ca62fe586f.
 2021-11-22 12:51:16 +01:00
Florian Roth ca62fe586f refactor: add another flag set 2021-11-22 12:21:19 +01:00
Florian Roth a5b7a92d91 fix: FPs with Aurora 2021-11-22 12:20:21 +01:00
Florian Roth d3ec743906 fix: changed modified date 2021-11-22 11:38:37 +01:00
Florian Roth fbd8df5768 rule: lsass access suspicious flags 2021-11-22 11:37:09 +01:00
Florian Roth 7432aa37a0 refactor: lsass query info access 2021-11-22 11:02:01 +01:00
Florian Roth e73816bb22 fix: too many false positives with in-memory detection rule 2021-11-20 15:07:20 +01:00
Florian Roth 15a4938294 fix: wrong condition 2021-11-20 15:05:06 +01:00
Florian Roth f1d2903ec2 fix: FPs with rules 2021-11-20 12:32:15 +01:00
Florian Roth 6c040f0844 fix: more false positives 2021-11-20 12:00:18 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
Florian Roth 7d4e3fd2ed fix: more false positive fixes 2021-11-16 23:27:00 +01:00
Florian Roth 8d6d8c2c92 fix: several FPs 2021-11-16 17:30:23 +01:00
frack113 b267504708 Merge pull request #2179 from frack113/fix_sysmon_in_memory_assembly_execution 
Fix sysmon in memory assembly execution
 2021-10-23 10:11:08 +02:00
frack113 1775db7fe8 fix cast 2021-10-21 09:58:32 +02:00
frack113 4394aa685d fix cast 2021-10-21 09:47:06 +02:00
frack113 6c7d5124f5 fix detection 2021-10-21 09:28:33 +02:00
frack113 216b2d65d9 fix SourceImage 2021-10-20 19:45:38 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
phantinuss 3a9e10d081 bulk of new rules to match working UACMe UAC bypasses 2021-08-31 12:51:21 +02:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
phantinuss 246ba0c17f generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
phantinuss 62eca463ac new rule LittleCorporal generated maldoc process injection 2021-08-11 09:25:23 +02:00
Florian Roth eb247704fe Merge pull request #1761 from d4rk-d4nph3/master 
Added rule for Cabinet file expansion and Pypykatz
 2021-08-05 15:50:12 +02:00
phantinuss 882ea7ec22 fix: remove unnecessary single value list 2021-08-04 15:50:39 +02:00
phantinuss 994701bd8e CobaltStrike injected AMSI bypass 2021-08-04 11:28:58 +02:00
Bhabesh Rai 85b88c7646 Added rule for pypykatz 2021-08-03 15:06:27 +05:45
phantinuss 9833cc34e5 direct syscall to NtOpenProcess 2021-07-28 15:14:30 +02:00
frack113 895a2f6154 fix 3 times the same name file 2021-07-02 11:01:07 +02:00
Bhabesh Rai 206adbb2b6 Merging upstream updates 2021-07-01 12:18:30 +05:45
wagga40 11df697cdc Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 14:51:29 +02:00
frack113 edfb67ddc7 fix TargetImage|endswith 2021-06-21 21:21:34 +02:00
frack113 6558a5b110 fix TargetImage|endswith 2021-06-21 21:19:04 +02:00
frack113 0bc04605cb fix TargetImage|endswith 2021-06-21 21:14:36 +02:00
Florian Roth 0377a30893 fix: several issues 2021-06-14 09:42:25 +02:00