security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,904 Commits 1 Branch 57 Tags
16fed13bb0636b32e83d5851a572e2d21145f087
Commit Graph

153 Commits

Author SHA1 Message Date
Florian Roth 0e5846aced fix: remove new line 2022-02-03 21:54:16 +01:00
Florian Roth 15dfdd8262 fix: FPs noticed with Aurora 2022-02-03 21:53:26 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00
frack113 6eeb0723ed Fix FP thanks aurora 2022-01-21 13:14:35 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Florian Roth f27a8c96d1 Merge pull request #2556 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-13 21:04:22 +01:00
Florian Roth 56097703f1 fix: FP detected with Aurora 2022-01-13 09:17:42 +01:00
Bhabesh 6554556c14 Added two filters to reduce FP 2022-01-12 12:55:07 +05:45
Florian Roth bdbb156090 fix: FPs noticed with Aurora 2022-01-08 15:12:17 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 1653f30953 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-22 19:00:35 +01:00
Florian Roth c4fa0c22ad fix: FPs noticed with Aurora 2021-12-22 19:00:32 +01:00
Florian Roth 31788f91d8 Merge pull request #2477 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-20 16:56:21 +01:00
Florian Roth 37da48ba3f fix: FPs noticed with Aurora 2021-12-20 12:04:40 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth 4e49c28472 fix: FPs noticed with Aurora 2021-12-18 06:19:35 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00
Andreas Hunkeler 9ecacdaeea Move winrm rule to process creation 2021-12-17 17:31:06 +01:00
frack113 58063d1113 FP add perfmon.exe 2021-12-10 19:19:55 +01:00
Florian Roth 89e659355c fix: FPs noticed with Aurora 2021-12-07 15:06:49 +01:00
Florian Roth c241601fa9 fix: FPs noticed with Aurora 2021-12-06 13:45:59 +01:00
Florian Roth 48289bdab9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-05 11:21:43 +01:00
Florian Roth cb4ee6fbee fix: FPs noticed with Aurora 2021-12-05 11:21:40 +01:00
Florian Roth b6c8481a84 Merge branch 'master' into aurora-false-positive-fixing 2021-12-04 20:00:36 +01:00
Florian Roth a011df121f Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 19:18:47 +01:00
Florian Roth 5fa6f749f5 fix: FPs noticed with Aurora 2021-12-04 19:18:45 +01:00
Florian Roth 7cd747ff40 Merge pull request #2382 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-04 16:39:00 +01:00
Florian Roth 9a06cf2da5 fix: FPs noticed with Aurora 2021-12-04 14:28:51 +01:00
frack113 5e0326f461 Merge pull request #2376 from frack113/fix_FP 
Fix some FP
 2021-12-04 08:57:58 +01:00
Florian Roth 29cbdf80c2 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-03 19:03:14 +01:00
Florian Roth bcc5010e7e fix: more FPs noticed with Aurora 2021-12-03 19:02:24 +01:00
frack113 4dbf10017d Add FP on new windows 10 VM 2021-12-03 17:31:59 +01:00
Florian Roth 6aed1a0d2a fix: FPs noticed with Aurora 2021-12-02 14:57:06 +01:00
Florian Roth 4a136fdce6 simplified condition 2021-12-01 14:06:09 +01:00
Florian Roth f2199eacad fix: FPs noticed with Aurora 2021-12-01 13:39:53 +01:00
Florian Roth 6d155ad2ce fix: simplified and extended rule 2021-11-30 20:12:07 +01:00
Florian Roth 9b235f6873 fix: Granted Access 0x410 in different rules 2021-11-30 19:20:37 +01:00
Florian Roth e89646a696 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-11-30 19:15:20 +01:00
Florian Roth 112c3522d8 fix: FPs noticed with Aurora 2021-11-30 19:14:49 +01:00
Florian Roth 9209051f94 fix: FPs noticed with Aurora 2021-11-29 18:25:34 +01:00
Florian Roth b8985a222f fix: FPs noticed with Aurora 2021-11-29 16:13:24 +01:00
Florian Roth dcf9d8c828 fix: FPs noticed with Aurora 2021-11-29 15:38:43 +01:00
Florian Roth 17d6528f41 Merge branch 'master' into aurora-false-positive-fixing 2021-11-29 13:09:38 +01:00
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00