security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

223 Commits

Author SHA1 Message Date
Florian Roth a7c5381366 fix: LSASS access wermgr 2022-07-21 18:31:36 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c7eb123bc3 Merge branch 'master' into aurora-false-positive-fixing 2022-07-07 18:21:16 +02:00
Florian Roth b58c797c61 fix: FPs with Visual Studio 2022-07-07 18:20:10 +02:00
phantinuss ce1710a031 fix: FPs found in testing 2022-07-06 15:38:31 +02:00
Nasreddine Bencherchali c95df56222 New Rules 2022-07-01 16:56:45 +01:00
frack113 2f19daed62 Merge pull request #3163 from d4rk-d4nph3/master 
Rule for HandleKatz
 2022-07-01 14:29:45 +02:00
phantinuss 15cd71403a fix: FP found in testing 2022-07-01 11:11:08 +02:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Bhabesh 1f7e37d2a0 Fixed CallTrace 2022-06-28 10:56:18 +05:45
Florian Roth 19ef1c153f rule: werfault accessing lsass 2022-06-27 15:49:30 +02:00
Bhabesh e0f8506c1b Rule for HandleKatz 2022-06-27 17:25:21 +05:45
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth a876da1ad7 fix: FP with ProcessExpl 2022-06-22 21:15:21 +02:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth fef851a918 fix: FPs with Aurora 2022-06-20 12:01:25 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Tim Shelton e56dab0016 False positive: ignore amazon ssm agent setup 2022-06-17 16:33:47 +00:00
phantinuss 3ad0d1bc50 fix: FP and typo 2022-06-03 15:20:07 +02:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
Florian Roth 5ec29f38f8 Merge branch 'master' into aurora-false-positive-fixing 2022-05-16 16:05:02 +02:00
Florian Roth 55d5766bf9 fix: FPs with lsass as source 2022-05-16 16:04:13 +02:00
Tim Shelton ca6b4d7862 FP: fixing error in labels 2022-05-15 17:41:22 +00:00
Tim Shelton 1019015473 FP: ignoring vmware to systeminfo.exe 2022-05-15 17:35:02 +00:00
Tim Shelton 71249ff7e0 FP: ignoring microsoft vc redistributable when performing NtOpenProcess 2022-05-15 17:33:31 +00:00
Tim Shelton 67e78ef455 FP: ignoreing microsoft edge when performing NtOpenProcess 2022-05-15 17:23:53 +00:00
Florian Roth 2b0db86440 Merge pull request #3002 from phantinuss/master 
Various new Rule Tests
 2022-05-11 15:49:46 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Tim Shelton db6d32c6b9 Adding condition update 2022-05-09 23:55:37 +00:00
Tim Shelton 5f0ca05492 Adding FP filter for cylance 2022-05-09 23:54:40 +00:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Paul Hager aac1d47bef fix: fixed typo in rule 2022-04-13 19:27:11 +02:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth 811ed59e27 fix: FPs with Aurora and THOR 2022-03-20 16:18:18 +01:00
phantinuss 3ab601b334 fix: FP with Sysinternal's handle 2022-03-18 17:06:53 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth bd8306cd28 Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing 
fix: sadly still too many fps with this rule
 2022-03-16 18:15:23 +01:00
Florian Roth 426b3a0906 Merge pull request #2796 from d4rk-d4nph3/master 
Added rule for shellcode injection by Metasploit and Empire
 2022-03-16 15:34:03 +01:00
Florian Roth 4445ea6baf fix: sadly still too many fps with this rule 2022-03-16 15:21:27 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 7ee62d7f69 Merge branch 'master' into rule-devel 2022-03-14 11:38:44 +01:00
Florian Roth a9b7c365cd docs: adjusted description 2022-03-13 23:30:44 +01:00
Florian Roth 7e0928233b refactor: split up lsass access rule in two 
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
 2022-03-13 23:29:54 +01:00
frack113 c5c72124b1 WindowsUpdate FP 2022-03-13 19:22:08 +01:00
Bhabesh d7d9a19cd4 Added rule for shellcode injection by Metasploit and Empire 2022-03-11 20:05:22 +05:45
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00