security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,978 Commits 1 Branch 57 Tags
2ecf9ec7e16707513524c2f3c82fa471663cacad
Commit Graph

133 Commits

Author SHA1 Message Date
Florian Roth 14fdf75ab5 fix: FPs noticed with THOR 2022-09-29 13:51:09 +02:00
Florian Roth ec329f403a fix: Aurora FPs with Nvidia update 2022-09-28 19:31:22 +02:00
Florian Roth d2f7ff8059 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-27 10:47:21 +02:00
Florian Roth 5e6a926ac3 fix: FPs 2022-09-27 10:47:19 +02:00
frack113 ca200d9d75 Merge pull request #3509 from amjcyber/patch-2 
Update win_impacket_psexec.yml
 2022-09-22 17:49:02 +02:00
frack113 6c70c6d35a Update win_impacket_psexec.yml 2022-09-22 17:42:27 +02:00
Florian Roth cab32f2be4 Merge pull request #3510 from SigmaHQ/aurora-false-positive-fixing 
Windows 2022 false positive fixing
 2022-09-18 16:50:34 +02:00
Florian Roth b6e595a8eb Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-18 16:21:49 +02:00
Florian Roth bf660b2de2 fix: FPs (testing, and Windows 2022 test system) 2022-09-18 16:21:05 +02:00
Arturo 17e9b5ee31 Update win_impacket_psexec.yml 
Based on recent tests, the original RelativeTargetName from this rule are not accurate. The last "t" from each selection must be deleted in order to detect the predefined impacket psexec behavior.
 2022-09-18 15:38:54 +02:00
Florian Roth e6d2faf25f Merge pull request #3507 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-18 11:47:16 +02:00
Florian Roth 34957a784b fix: modified date update 2022-09-18 10:42:19 +02:00
Florian Roth 2e8717d603 fix: taskhostw FPs with lsass access 2022-09-18 10:39:56 +02:00
tr0mb1r 8b60317e2e Microsoft Teams Suspicious ObjectAccess events (#3500) 2022-09-17 08:47:35 +02:00
nasreddine.bencherchali@nextron-systems.com 653ad66f21 Updates 2022-09-14 12:29:57 +02:00
frack113 b9cc206d9d Update win_susp_computer_name.yml 2022-09-09 18:53:48 +02:00
David ANDRE 9a77542bc6 Add comment to explain lack of eventID\nBetter description 2022-09-09 16:11:07 +02:00
David ANDRE b170af5687 Added rule for sam the admin suspicious computer 2022-09-09 16:08:19 +02:00
Florian Roth cab6ccc18a Merge branch 'master' into aurora-false-positive-fixing 2022-09-05 16:57:10 +02:00
Florian Roth 3ee77e1446 fix: FPs noticed with Aurora 2022-09-02 16:57:23 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
Nasreddine Bencherchali 17aa5fec6d Update 2022-08-22 14:52:41 +01:00
Florian Roth 268b0a8038 Merge pull request #3402 from nasbench/lolbin-update 
LOLBIN Updates
 2022-08-20 13:25:24 +02:00
Nasreddine Bencherchali 0dc4704f05 LOLBIN Updates 2022-08-19 23:05:46 +01:00
Nasreddine Bencherchali 52f26a14a2 Rule Update 2022-08-17 20:27:55 +01:00
frack113 9322c6ee33 Merge pull request #3388 from frack113/placeholder 
Move placeholder rules
 2022-08-17 19:42:32 +02:00
frack113 f814759446 Move placeholder rules 2022-08-16 22:09:11 +02:00
Maxence FOSSAT 6a37260fed Filter out FP of dnsZone 2022-08-16 16:40:05 +02:00
Ben4FH bebeedb623 Update EID 5156 field names 
Update to keep field names consistent for all rules using EID 5156
 2022-08-15 18:28:15 +01:00
frack113 3268a6c9b0 Fix ShareName 2022-08-11 19:19:07 +02:00
frack113 8cf1d92c84 Fix ShareName 2022-08-11 19:07:47 +02:00
frack113 519e4a8f47 Fix issue 3339 2022-08-10 07:44:56 +02:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth 3282c822a7 Merge pull request #3320 from redsand/reduce_level_time_modification 
Reducing to a low level, as this is not a single indicator of comprom…
 2022-08-03 18:13:44 +02:00
Nasreddine Bencherchali 48a90c6342 DiagTrackEoP rules 2022-08-03 15:45:39 +01:00
Tim Shelton 0d9223c45e Doesnt like single ticks around author 2022-08-03 13:36:50 +00:00
Tim Shelton 474c8d934e Ignore workstations/system execution. Normal behavior for scheduled tasks 2022-08-03 13:29:34 +00:00
Tim Shelton 74fc8903ff Reducing to a low level, as this is not a single indicator of compromise. Users and scripts from time sensitive applications such as mfa/oauth will execute net time \\host /set /y 2022-08-03 13:18:32 +00:00
Florian Roth 749a7b4df5 Merge branch 'master' into rule-devel 2022-07-16 08:15:20 +02:00
Paul Hager e35587e922 fix: fixed rule condition 2022-07-15 12:28:11 +02:00
Paul Hager 1529d0377e blackbyte rules 2022-07-15 12:09:55 +02:00
frack113 9b319f0569 Update win_account_discovery.yml 2022-07-13 06:45:39 +02:00
Borna Talebi f9faeacb5a Update win_account_discovery.yml 2022-07-12 23:58:40 +04:30
Borna Talebi 0850419c95 Add FP from reference link 
According to the query in reference, computer accounts should be excluded: "and not (SourceUserName IMATCHES '.*\$')"
 2022-07-12 23:32:00 +04:30
Florian Roth 9b50323bc1 Merge pull request #3215 from nasbench/master 
Reference+Selection Updates [Final Batch]
 2022-07-11 22:47:17 +02:00
Florian Roth 2b62c40628 docs: fix desc and lowered score 2022-07-11 18:23:18 +02:00
phantinuss e31d752146 fix: FPs found in prod environment 2022-07-11 15:47:11 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Tim Shelton 38335b6303 False positive filtering out of behavior by services.exe which is expected 2022-06-30 16:22:42 +00:00