security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,158 Commits 1 Branch 57 Tags
8700a144b6f33d1bbc72cf7cf01d4db0be7d734f
Commit Graph

9158 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 8700a144b6 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-07 10:38:11 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth 28664dbf5a Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:35:34 +01:00
Florian Roth 6525771916 fix: FPs noticed with Aurora 2021-12-06 16:35:32 +01:00
Florian Roth dbd5d20eb3 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:09:51 +01:00
Florian Roth ea7de1f2dd fix: FPs noticed with Aurora 2021-12-06 16:09:50 +01:00
Florian Roth c241601fa9 fix: FPs noticed with Aurora 2021-12-06 13:45:59 +01:00
Florian Roth 63212ea85f Merge branch 'master' into aurora-false-positive-fixing 2021-12-05 11:21:53 +01:00
Florian Roth 48289bdab9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-05 11:21:43 +01:00
Florian Roth cb4ee6fbee fix: FPs noticed with Aurora 2021-12-05 11:21:40 +01:00
Florian Roth cbe136b926 Merge pull request #2383 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-04 22:12:10 +01:00
Florian Roth b6c8481a84 Merge branch 'master' into aurora-false-positive-fixing 2021-12-04 20:00:36 +01:00
Florian Roth a011df121f Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 19:18:47 +01:00
Florian Roth 5fa6f749f5 fix: FPs noticed with Aurora 2021-12-04 19:18:45 +01:00
Florian Roth 7cd747ff40 Merge pull request #2382 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-04 16:39:00 +01:00
Florian Roth bbddf205ca Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 14:28:54 +01:00
Florian Roth 9a06cf2da5 fix: FPs noticed with Aurora 2021-12-04 14:28:51 +01:00
frack113 04f72b9e78 Merge pull request #2379 from frack113/order_builtin 
Order rules and Update Makefile
 2021-12-04 12:14:48 +01:00
Florian Roth 4a1b6bb5f8 Merge pull request #2380 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-04 12:12:18 +01:00
frack113 c8aa02c121 fix rule directory 2021-12-04 10:59:24 +01:00
Florian Roth 0bc0502b24 fix: FPs noticed with Aurora 2021-12-04 10:57:13 +01:00
frack113 e215f4606b Order rules 2021-12-04 10:07:07 +01:00
frack113 5e0326f461 Merge pull request #2376 from frack113/fix_FP 
Fix some FP
 2021-12-04 08:57:58 +01:00
frack113 57c3c7bc2e Merge pull request #2375 from redsand/fp_sysmon_alternate_powershell_hosts_pip_by_sdiagnhost 
Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe
 2021-12-04 08:57:23 +01:00
frack113 906dd53ba0 Merge pull request #2369 from redsand/hawk_webserver_category 
Hawk webserver category, support for begins/endswith and snake_case conversion
 2021-12-04 08:17:25 +01:00
frack113 6f5271275e Merge pull request #2367 from phantinuss/noallofthem 
feat: discourage the usage of 'all of them'
 2021-12-04 08:16:53 +01:00
frack113 18d35e6477 Use 1 of filter 2021-12-04 08:12:23 +01:00
Florian Roth c4cb07dd23 Merge pull request #2378 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-04 00:53:02 +01:00
Florian Roth da45d68762 fix: FPs noticed with Aurora 2021-12-03 23:47:37 +01:00
Florian Roth 0c92b983da Merge pull request #2377 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-03 20:49:56 +01:00
Florian Roth 29cbdf80c2 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-03 19:03:14 +01:00
Florian Roth bcc5010e7e fix: more FPs noticed with Aurora 2021-12-03 19:02:24 +01:00
frack113 47653faa71 update modified 2021-12-03 18:25:55 +01:00
frack113 2707122de8 fix FP mscorsvw.exe 2021-12-03 18:24:33 +01:00
Tim Shelton 0dea125a82 Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe, used rule 867613fb-fa60-4497-a017-a82df74a172c as filter reference 2021-12-03 16:53:20 +00:00
frack113 4dbf10017d Add FP on new windows 10 VM 2021-12-03 17:31:59 +01:00
Florian Roth 6852e56ff5 refactor: increase level to high - BITSADMIN PowerShell combo 2021-12-03 15:48:26 +01:00
Florian Roth ceea83ad48 Merge branch 'master' into aurora-false-positive-fixing 2021-12-03 14:42:18 +01:00
Florian Roth 8ea102ae72 fix: FPs with desktop.ini writes 2021-12-03 14:37:25 +01:00
frack113 65eeb01a13 Merge pull request #2372 from redsand/fp_sysmon_config_err 
adding filter for benign error from sysmon configuration
 2021-12-03 13:15:14 +01:00
Tim Shelton fc2e2aa4c5 adding filter for false positive. no risk to sysmon operation 2021-12-02 20:38:58 +00:00
Tim Shelton a38f98a3be adding translation of provider_name to channel 2021-12-02 20:35:25 +00:00
Tim Shelton 771d2e691b Merge branch 'master' of https://github.com/redsand/sigma into hawk_webserver_category 2021-12-02 16:32:33 +00:00
Florian Roth 34c697cead Merge pull request #2370 from redsand/fix_fp_in_cmdline 
Fixing false positive when cmd.exe is called with full path
 2021-12-02 16:56:55 +01:00
Florian Roth 242d6cef84 Merge pull request #2368 from redsand/add_tomcat8_to_kerberos 
adding tomcat8 to allowed kerberos outbound.
 2021-12-02 16:55:25 +01:00
Florian Roth aad85f6477 Merge pull request #2362 from redsand/fix_fp_when_sys32_called_for_cmd 
fixing false positive due to direct calls to xcopy and cmd.exe
 2021-12-02 16:55:06 +01:00
Tim Shelton 384862b906 When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" 2021-12-02 15:13:23 +00:00
Tim Shelton f2553bf002 Merge branch 'master' of https://github.com/redsand/sigma into hawk_webserver_category 2021-12-02 14:57:42 +00:00
Tim Shelton b1f7cf21dd adding tomcat8 to allowed kerberos outbound. 2021-12-02 14:55:12 +00:00
Florian Roth dc43403359 Merge pull request #2366 from SigmaHQ/aurora-false-positive-fixing 
fix: filter condition in SystemDrawing Load rule
 2021-12-02 15:35:01 +01:00