security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,303 Commits 1 Branch 57 Tags
87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41
Commit Graph

172 Commits

Author SHA1 Message Date
frack113 7922becd0b Fix FP new install 2022-03-04 16:53:30 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski e89867848d Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:27:57 +01:00
Tobias Michalski 4a6ab42c6b Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:09:47 +01:00
Tobias Michalski 662e5ed66d fix: False Positives 2022-02-24 10:35:31 +01:00
Florian Roth cbe7abc16e Merge branch 'master' into aurora-false-positive-fixing 2022-02-21 18:49:45 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
phantinuss f2be1ed1b8 fix: FPs 2022-02-18 13:04:25 +01:00
phantinuss ac8cd7516a fix: single list items 2022-02-16 16:31:11 +01:00
phantinuss 5aee70f7d5 fix: exclude common FPs occuring on test system 2022-02-16 16:31:11 +01:00
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
Florian Roth 69fcbc138e fix: FPs noticed with Aurora 2022-02-08 09:34:53 +01:00
Florian Roth fada8df7d4 fix: FP notices with Aurora 2022-02-05 21:40:03 +01:00
Florian Roth 0e5846aced fix: remove new line 2022-02-03 21:54:16 +01:00
Florian Roth 15dfdd8262 fix: FPs noticed with Aurora 2022-02-03 21:53:26 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00
frack113 6eeb0723ed Fix FP thanks aurora 2022-01-21 13:14:35 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Florian Roth f27a8c96d1 Merge pull request #2556 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-13 21:04:22 +01:00
Florian Roth 56097703f1 fix: FP detected with Aurora 2022-01-13 09:17:42 +01:00
Bhabesh 6554556c14 Added two filters to reduce FP 2022-01-12 12:55:07 +05:45
Florian Roth bdbb156090 fix: FPs noticed with Aurora 2022-01-08 15:12:17 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 1653f30953 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-22 19:00:35 +01:00
Florian Roth c4fa0c22ad fix: FPs noticed with Aurora 2021-12-22 19:00:32 +01:00
Florian Roth 31788f91d8 Merge pull request #2477 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-20 16:56:21 +01:00
Florian Roth 37da48ba3f fix: FPs noticed with Aurora 2021-12-20 12:04:40 +01:00
Florian Roth 8a3c521a34 Merge pull request #2466 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-18 07:16:16 +01:00
Florian Roth 4e49c28472 fix: FPs noticed with Aurora 2021-12-18 06:19:35 +01:00
Florian Roth f1918e512c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-18 00:18:00 +01:00
Florian Roth 4b7b829d18 fix: FPs noticed with Aurora 2021-12-18 00:17:58 +01:00
Andreas Hunkeler 9ecacdaeea Move winrm rule to process creation 2021-12-17 17:31:06 +01:00
frack113 58063d1113 FP add perfmon.exe 2021-12-10 19:19:55 +01:00
Florian Roth 89e659355c fix: FPs noticed with Aurora 2021-12-07 15:06:49 +01:00
Florian Roth c241601fa9 fix: FPs noticed with Aurora 2021-12-06 13:45:59 +01:00
Florian Roth 48289bdab9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-05 11:21:43 +01:00
Florian Roth cb4ee6fbee fix: FPs noticed with Aurora 2021-12-05 11:21:40 +01:00
Florian Roth b6c8481a84 Merge branch 'master' into aurora-false-positive-fixing 2021-12-04 20:00:36 +01:00
Florian Roth a011df121f Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-04 19:18:47 +01:00
Florian Roth 5fa6f749f5 fix: FPs noticed with Aurora 2021-12-04 19:18:45 +01:00