security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

131 Commits

Author SHA1 Message Date
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
phantinuss 51db91352a fix: FP found in testing environment 2022-07-29 16:00:19 +02:00
Florian Roth c79715049d refactor: improved susp com rule 2022-07-22 12:47:54 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
Florian Roth 864da0680d rule: communication to ngrok.io 2022-07-16 08:15:32 +02:00
Florian Roth 6217eb2a26 Merge pull request #3224 from frack113/rpc_135 
RPC epmap tools
 2022-07-14 21:58:13 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
frack113 97cd835d34 Update description 2022-07-14 17:30:06 +02:00
frack113 09841c9caf Add net_connection_win_susps_epmap 2022-07-14 17:25:56 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth 881890177b rule: suspicious network connections no cmdline 2022-07-03 15:58:54 +02:00
Florian Roth b4751520c5 refactor: more domains 2022-07-03 15:58:36 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Tim Shelton 80ee980b1d False positive from SentinelOne Ranger Agent 2022-06-19 14:31:10 +00:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 32169dbc33 chore: harmonization of generic 'nt system' user checks 
also a simple (non-commprehensive) test case to find
usages of localized user names
 2022-05-27 15:16:31 +02:00
Tim Shelton b1cbac0ae3 Adjusting condition 2022-05-26 18:39:22 +00:00
Tim Shelton 8ac66efd73 updating modified 2022-05-26 18:17:40 +00:00
Tim Shelton 13d68d9671 False positive on IBM Client Solutions 2022-05-26 18:16:55 +00:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth e76322ff5a Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-05-02 16:38:01 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Florian Roth 96628bf7c0 Merge pull request #2960 from elhoim/mobsync_network2 
New rule for suspicious network connections from Microsoft Sync Center
 2022-04-29 13:25:56 +02:00
Florian Roth a157d5d949 rule: RDP to 80/tcp or 443/tcp 2022-04-29 12:03:07 +02:00
Florian Roth e322866c71 fix: indentation 2022-04-29 08:42:51 +02:00
David André 73b5f4412a Changed reference from default to correct URL 2022-04-28 14:45:31 +02:00
David ANDRE 55b23c4477 Added rule for suspicious (non-private IPs) network connections from mobsync 2022-04-28 14:21:39 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Florian Roth d9fbdd4a56 fix: missing filter 2022-04-21 07:54:58 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Florian Roth 25ecef1748 rule: dropbox api use 2022-04-20 17:54:01 +02:00
Max Altgelt e6dbb6ba00 feat: Add rule for equation editor network connections 2022-04-14 10:50:10 +02:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 57271c3c00 fix: bugs in rules 2022-02-16 17:26:57 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00