security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

112 Commits

Author SHA1 Message Date
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
Nasreddine Bencherchali 17aa5fec6d Update 2022-08-22 14:52:41 +01:00
Florian Roth 268b0a8038 Merge pull request #3402 from nasbench/lolbin-update 
LOLBIN Updates
 2022-08-20 13:25:24 +02:00
Nasreddine Bencherchali 0dc4704f05 LOLBIN Updates 2022-08-19 23:05:46 +01:00
Nasreddine Bencherchali 52f26a14a2 Rule Update 2022-08-17 20:27:55 +01:00
frack113 9322c6ee33 Merge pull request #3388 from frack113/placeholder 
Move placeholder rules
 2022-08-17 19:42:32 +02:00
frack113 f814759446 Move placeholder rules 2022-08-16 22:09:11 +02:00
Maxence FOSSAT 6a37260fed Filter out FP of dnsZone 2022-08-16 16:40:05 +02:00
Ben4FH bebeedb623 Update EID 5156 field names 
Update to keep field names consistent for all rules using EID 5156
 2022-08-15 18:28:15 +01:00
frack113 3268a6c9b0 Fix ShareName 2022-08-11 19:19:07 +02:00
frack113 8cf1d92c84 Fix ShareName 2022-08-11 19:07:47 +02:00
frack113 519e4a8f47 Fix issue 3339 2022-08-10 07:44:56 +02:00
Florian Roth d46d89e403 Merge pull request #3315 from nasbench/nasbench-rule-devel 
New Rules + Update
 2022-08-04 13:34:26 +02:00
Florian Roth 3282c822a7 Merge pull request #3320 from redsand/reduce_level_time_modification 
Reducing to a low level, as this is not a single indicator of comprom…
 2022-08-03 18:13:44 +02:00
Nasreddine Bencherchali 48a90c6342 DiagTrackEoP rules 2022-08-03 15:45:39 +01:00
Tim Shelton 0d9223c45e Doesnt like single ticks around author 2022-08-03 13:36:50 +00:00
Tim Shelton 474c8d934e Ignore workstations/system execution. Normal behavior for scheduled tasks 2022-08-03 13:29:34 +00:00
Tim Shelton 74fc8903ff Reducing to a low level, as this is not a single indicator of compromise. Users and scripts from time sensitive applications such as mfa/oauth will execute net time \\host /set /y 2022-08-03 13:18:32 +00:00
Florian Roth 749a7b4df5 Merge branch 'master' into rule-devel 2022-07-16 08:15:20 +02:00
Paul Hager e35587e922 fix: fixed rule condition 2022-07-15 12:28:11 +02:00
Paul Hager 1529d0377e blackbyte rules 2022-07-15 12:09:55 +02:00
frack113 9b319f0569 Update win_account_discovery.yml 2022-07-13 06:45:39 +02:00
Borna Talebi f9faeacb5a Update win_account_discovery.yml 2022-07-12 23:58:40 +04:30
Borna Talebi 0850419c95 Add FP from reference link 
According to the query in reference, computer accounts should be excluded: "and not (SourceUserName IMATCHES '.*\$')"
 2022-07-12 23:32:00 +04:30
Florian Roth 9b50323bc1 Merge pull request #3215 from nasbench/master 
Reference+Selection Updates [Final Batch]
 2022-07-11 22:47:17 +02:00
Florian Roth 2b62c40628 docs: fix desc and lowered score 2022-07-11 18:23:18 +02:00
phantinuss e31d752146 fix: FPs found in prod environment 2022-07-11 15:47:11 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Tim Shelton 38335b6303 False positive filtering out of behavior by services.exe which is expected 2022-06-30 16:22:42 +00:00
phantinuss b4bce46c65 fix: technically filter THOR checking for BlueKeep vuln 2022-06-29 17:07:04 +02:00
Tim Shelton 78ff2fb70f Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating. 2022-06-29 13:32:19 +00:00
Florian Roth 10e39e41f7 Merge pull request #3143 from SigmaHQ/rule-devel 
Rule level refactoring: critical > high
 2022-06-19 15:04:46 +02:00
frack113 55f1f6dd1e Fix ServiceName 2022-06-19 11:59:48 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Florian Roth db55be82b6 refactor: rule adjustments based on hayabusa 
https://github.com/Yamato-Security/hayabusa-rules/blob/deb6026fcf452600829c52852f6283d2c808bc69/config/noisy_rules.txt
 2022-06-18 08:39:02 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Tim Shelton 9d4ce6db7d FP: filter m$ removaltools from %system32%\MRT.exe and reducing level to low from medium. Task removal could possibly even be just informational. 2022-05-16 14:48:01 +00:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
Florian Roth 9e218149d9 Merge pull request #3008 from SigmaHQ/rule-devel 
refactor: AV rules, changes, new PW protected ZIP rules
 2022-05-12 17:38:11 +02:00
Florian Roth 1b9ce19b2c fix: several issues 2022-05-12 17:30:30 +02:00
frack113 69b4bd551c Merge pull request #3004 from redsand/fp_dnsZoneScope 
filtering out dnsZoneScope
 2022-05-12 06:56:50 +02:00
Tim Shelton d072472b25 filtering out dnsZoneScope 2022-05-10 21:29:05 +00:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Florian Roth 4e7ceae0e1 rule: added another keyword 2022-05-09 18:33:34 +02:00
Florian Roth ec4beca37b Merge branch 'master' into rule-devel 2022-05-09 18:03:29 +02:00
Florian Roth 9d87716dfb rule: encrypted ZIP files 2022-05-09 18:03:16 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tim Shelton 6156a5653b Removing FP of dnsNode updates. Not related to account access 2022-05-05 16:45:01 +00:00