security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,158 Commits 1 Branch 57 Tags
8700a144b6f33d1bbc72cf7cf01d4db0be7d734f
Commit Graph

6864 Commits

Author SHA1 Message Date
Florian Roth 8700a144b6 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-07 10:38:11 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth 28664dbf5a Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:35:34 +01:00
Florian Roth 6525771916 fix: FPs noticed with Aurora 2021-12-06 16:35:32 +01:00
Florian Roth dbd5d20eb3 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-06 16:09:51 +01:00
Florian Roth ea7de1f2dd fix: FPs noticed with Aurora 2021-12-06 16:09:50 +01:00
Florian Roth c241601fa9 fix: FPs noticed with Aurora 2021-12-06 13:45:59 +01:00
Florian Roth 48289bdab9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-05 11:21:43 +01:00
Florian Roth cb4ee6fbee fix: FPs noticed with Aurora 2021-12-05 11:21:40 +01:00
Florian Roth b6c8481a84 Merge branch 'master' into aurora-false-positive-fixing 2021-12-04 20:00:36 +01:00
Florian Roth a011df121f Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 19:18:47 +01:00
Florian Roth 5fa6f749f5 fix: FPs noticed with Aurora 2021-12-04 19:18:45 +01:00
Florian Roth 7cd747ff40 Merge pull request #2382 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-04 16:39:00 +01:00
Florian Roth bbddf205ca Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 14:28:54 +01:00
Florian Roth 9a06cf2da5 fix: FPs noticed with Aurora 2021-12-04 14:28:51 +01:00
frack113 04f72b9e78 Merge pull request #2379 from frack113/order_builtin 
Order rules and Update Makefile
 2021-12-04 12:14:48 +01:00
Florian Roth 4a1b6bb5f8 Merge pull request #2380 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-04 12:12:18 +01:00
Florian Roth 0bc0502b24 fix: FPs noticed with Aurora 2021-12-04 10:57:13 +01:00
frack113 e215f4606b Order rules 2021-12-04 10:07:07 +01:00
frack113 5e0326f461 Merge pull request #2376 from frack113/fix_FP 
Fix some FP
 2021-12-04 08:57:58 +01:00
frack113 57c3c7bc2e Merge pull request #2375 from redsand/fp_sysmon_alternate_powershell_hosts_pip_by_sdiagnhost 
Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe
 2021-12-04 08:57:23 +01:00
frack113 6f5271275e Merge pull request #2367 from phantinuss/noallofthem 
feat: discourage the usage of 'all of them'
 2021-12-04 08:16:53 +01:00
frack113 18d35e6477 Use 1 of filter 2021-12-04 08:12:23 +01:00
Florian Roth da45d68762 fix: FPs noticed with Aurora 2021-12-03 23:47:37 +01:00
Florian Roth 29cbdf80c2 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-03 19:03:14 +01:00
Florian Roth bcc5010e7e fix: more FPs noticed with Aurora 2021-12-03 19:02:24 +01:00
frack113 47653faa71 update modified 2021-12-03 18:25:55 +01:00
frack113 2707122de8 fix FP mscorsvw.exe 2021-12-03 18:24:33 +01:00
Tim Shelton 0dea125a82 Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe, used rule 867613fb-fa60-4497-a017-a82df74a172c as filter reference 2021-12-03 16:53:20 +00:00
frack113 4dbf10017d Add FP on new windows 10 VM 2021-12-03 17:31:59 +01:00
Florian Roth 6852e56ff5 refactor: increase level to high - BITSADMIN PowerShell combo 2021-12-03 15:48:26 +01:00
Florian Roth ceea83ad48 Merge branch 'master' into aurora-false-positive-fixing 2021-12-03 14:42:18 +01:00
Florian Roth 8ea102ae72 fix: FPs with desktop.ini writes 2021-12-03 14:37:25 +01:00
Tim Shelton fc2e2aa4c5 adding filter for false positive. no risk to sysmon operation 2021-12-02 20:38:58 +00:00
Florian Roth 34c697cead Merge pull request #2370 from redsand/fix_fp_in_cmdline 
Fixing false positive when cmd.exe is called with full path
 2021-12-02 16:56:55 +01:00
Florian Roth 242d6cef84 Merge pull request #2368 from redsand/add_tomcat8_to_kerberos 
adding tomcat8 to allowed kerberos outbound.
 2021-12-02 16:55:25 +01:00
Florian Roth aad85f6477 Merge pull request #2362 from redsand/fix_fp_when_sys32_called_for_cmd 
fixing false positive due to direct calls to xcopy and cmd.exe
 2021-12-02 16:55:06 +01:00
Tim Shelton 384862b906 When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" 2021-12-02 15:13:23 +00:00
Tim Shelton b1f7cf21dd adding tomcat8 to allowed kerberos outbound. 2021-12-02 14:55:12 +00:00
Florian Roth dc43403359 Merge pull request #2366 from SigmaHQ/aurora-false-positive-fixing 
fix: filter condition in SystemDrawing Load rule
 2021-12-02 15:35:01 +01:00
Florian Roth 6aed1a0d2a fix: FPs noticed with Aurora 2021-12-02 14:57:06 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Florian Roth 9597cc8063 fix: filter condition in SystemDrawing Load rule 2021-12-02 12:55:42 +01:00
frack113 0d57825c32 Merge pull request #2360 from redsand/adding_access_list_fp 
Adding filter for read only accesslist, attack cannot be triggered
 2021-12-02 09:20:35 +01:00
frack113 97d83b8290 Merge pull request #2336 from zakibro/master 
Linux Auditd - Discovery of Capabilities files
 2021-12-02 06:48:05 +01:00
frack113 686035d66e Order selection filter 2021-12-02 06:41:49 +01:00
frack113 712bb6467f Merge pull request #2361 from redsand/fix_filter_conflict 
Fixing conflict where both selection and filter have the same value.
 2021-12-02 06:36:47 +01:00
frack113 33b7ee58f6 Merge pull request #2363 from redsand/duplicate_matching_in_signature_needs_simplify 
Duplicate matching causes confusion. Converting to simplified selecti…
 2021-12-02 06:29:40 +01:00
Tim Shelton 0e55a06e6e adding missing : 2021-12-01 23:14:57 +00:00
Tim Shelton bd13c7b77b fixing yaml formatting 2021-12-01 21:27:31 +00:00