security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,012 Commits 1 Branch 57 Tags
89e98db927c33262cb5a2eb4a09124f444e63821
Commit Graph

7559 Commits

Author SHA1 Message Date
johnpaulglab 89e98db927 Update win_pc_msiexec_install_quiet.yml 
Spelling error
 2022-02-10 14:38:51 -06:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Tobias Michalski 6af5d4b6f5 fix: False Positive fix 
Empty field CurrentDirectory should be "or"-ed
 2022-02-10 12:15:18 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
Florian Roth 0dc9234176 Merge pull request #2675 from redsand/fp_win_apt_bluemashroom 
Adds false positive filter to win apt bluemashroom
 2022-02-09 23:11:55 +01:00
Tim Shelton 531f9a61f1 Adds false positive filter to win apt bluemashroom and process for adding additional filters in the future 2022-02-09 20:11:45 +00:00
Florian Roth 2a816c53d7 Merge pull request #2674 from SigmaHQ/aurora-false-positive-fixing 
fix: extended rule due to high number of fps
 2022-02-09 20:48:07 +01:00
Florian Roth dc38a01a21 Merge pull request #2673 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Microsoft Defender LSASS ASR events
 2022-02-09 19:09:37 +01:00
Florian Roth 9996ba3549 fix: extended rule due to high number of fps 2022-02-09 19:09:14 +01:00
Florian Roth 3b67b44b82 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-09 18:18:59 +01:00
Florian Roth 2bbf6089ed fix: FPs, wrong modifier 2022-02-09 18:18:57 +01:00
Florian Roth 42ecaf2254 Merge branch 'master' into aurora-false-positive-fixing 2022-02-09 17:59:16 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
phantinuss 0a5f2a020a fix: filter events with empty sysmon field 2022-02-09 17:47:22 +01:00
Florian Roth 0d3c7aafe8 fix: FPs with Microsoft Defender LSASS ASR events 2022-02-09 17:24:29 +01:00
Florian Roth 7470a1b8d4 Merge pull request #2671 from frack113/SpoolFool 
Add CVE-2022–22718
 2022-02-09 13:13:15 +01:00
frack113 54c2dcdafb Add CVE-2022–22718 2022-02-09 08:40:04 +01:00
Florian Roth 98249b6916 Merge pull request #2670 from SigmaHQ/aurora-false-positive-fixing 
refactor: reduced level of TeamViewer rule
 2022-02-08 22:05:34 +01:00
Florian Roth 9c7679e319 fix: duplicate date field 2022-02-08 20:41:26 +01:00
Florian Roth d388ce945c refactor: reduced level of TeamViewer rule 2022-02-08 20:40:31 +01:00
Florian Roth ef23efa60f Merge pull request #2668 from SigmaHQ/rule-devel 
rule: suspicious execution from suspicious folders
 2022-02-08 19:14:23 +01:00
Florian Roth 3e0f45d11e rule: suspicious execution from temp folders 2022-02-08 16:15:46 +01:00
Florian Roth 93767430fa Merge pull request #2666 from SigmaHQ/rule-devel 
Network Recon Activity : nslookup _ldap._tcp.dc._msdcs
 2022-02-08 13:30:32 +01:00
Florian Roth fa81384917 Merge pull request #2667 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-08 13:30:21 +01:00
Florian Roth ed06403d04 fix: unneeded list 2022-02-08 12:21:43 +01:00
Florian Roth 9bc8bb5c20 fix: remove old link to removed part of rule 2022-02-08 09:36:31 +01:00
Florian Roth 88ce0ed97d rule: Network Reconnaissance Activity 2022-02-08 09:36:03 +01:00
Florian Roth 047b928ab0 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-08 09:35:12 +01:00
Florian Roth 69fcbc138e fix: FPs noticed with Aurora 2022-02-08 09:34:53 +01:00
Florian Roth 121b28c419 Merge pull request #2660 from redsand/fp_sysmon_creation_system_file_allow_wbengine 
FP from wbengine when writing a system filename
 2022-02-08 09:01:10 +01:00
Florian Roth 07e0d0412e Merge pull request #2662 from nasbench/master 
Update sysmon_raw_disk_access_using_illegitimate_tools.yml
 2022-02-08 09:00:46 +01:00
Florian Roth 7606ab96c8 Merge pull request #2657 from phantinuss/master 
fix: FPs
 2022-02-08 09:00:31 +01:00
Florian Roth c69613696f fix: FP noticed with Aurora 2022-02-07 21:24:21 +01:00
Florian Roth 7e17c2bbd2 Merge pull request #2658 from Karneades/patch-1 
rule: ACTINIUM Scheduled Task Persistence
 2022-02-07 21:20:22 +01:00
Florian Roth 3ca0382671 Merge pull request #2661 from redsand/fp_mimikatz_command_line 
FP mimikatz when loading powershell function Convert-GuidToCompressedGuid
 2022-02-07 21:20:04 +01:00
Nasreddine Bencherchali 7d1e149844 Update sysmon_raw_disk_access_using_illegitimate_tools.yml 2022-02-07 20:51:19 +01:00
Tim Shelton f3ce179f76 fixing false positive when loading the powershell function Convert-GuidToCompressedGuid 2022-02-07 17:10:57 +00:00
Tim Shelton 913aac6695 allow fp from wbengine 2022-02-07 16:58:58 +00:00
Florian Roth aef0bd2a2d Update process_creation_apt_actinium_persistence.yml 2022-02-07 16:15:48 +01:00
Andreas Hunkeler 40411f0596 Fix list issue in new wscript persistence rule 2022-02-07 15:54:42 +01:00
Andreas Hunkeler 0a78c3966b rule: ACTINIUM Scheduled Task Persistence 2022-02-07 15:43:30 +01:00
Florian Roth a60426e4a2 Update win_alert_lsass_access.yml 2022-02-07 15:43:04 +01:00
phantinuss ed2025e626 fix: FPs 2022-02-07 15:32:15 +01:00
Florian Roth e69a816f7d fix: extended filters for raw disk access rule 2022-02-07 13:58:16 +01:00
Florian Roth 5c73f913f2 Merge branch 'master' into aurora-false-positive-fixing 2022-02-07 13:17:00 +01:00
Florian Roth 9842118c53 Merge branch 'master' into aurora-false-positive-fixing 2022-02-07 13:15:05 +01:00