security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8,915 Commits 1 Branch 57 Tags
9c8a649e6ce400f656cbcbcf8d4d21dfddb7d42e
Commit Graph

6655 Commits

Author SHA1 Message Date
Florian Roth 9c8a649e6c fix: FP with suspicious svchost.exe rule 2021-11-26 17:12:33 +01:00
Florian Roth d91b925873 fix: FPs 2021-11-26 14:42:21 +01:00
Florian Roth a6c9a8772c Merge branch 'master' into aurora-false-positive-fixing 2021-11-26 00:09:09 +01:00
Florian Roth 11fc576103 fix: FPs with rules 2021-11-25 19:04:27 +01:00
phantinuss 979a00c2f4 fix: FPs found with Aurora 2021-11-25 15:36:08 +01:00
phantinuss 271e8291a5 fix: remove unneeded escape 2021-11-25 09:24:04 +01:00
frack113 bdb00f403f fix rule 2021-11-24 19:24:16 +01:00
frack113 960a03eaf4 add lobas Binary 2021-11-24 19:17:00 +01:00
Florian Roth 3e8b43e324 Merge pull request #2307 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-24 17:31:44 +01:00
Florian Roth b6bfb1074d Merge pull request #2305 from phantinuss/master 
rule: rundll calling shell32 with dll in suspicious location + Download via Certreq
 2021-11-24 17:30:56 +01:00
Florian Roth ce7d101b86 Merge branch 'master' into aurora-false-positive-fixing 2021-11-24 16:59:53 +01:00
Florian Roth f60e8e5d17 fix: more false positive filters 2021-11-24 16:58:53 +01:00
phantinuss eb8c9c046b rule: download using certreq 2021-11-24 16:39:44 +01:00
Florian Roth 3ace3808a5 refactor: Shell File Write to Suspicious Folder rule 2021-11-24 15:54:42 +01:00
Florian Roth fd6e3bb572 fix: dbghelp/dbgcore DLL load FP 2021-11-24 13:47:30 +01:00
Florian Roth 5e91d30e29 Merge pull request #2306 from SigmaHQ/rule-devel 
refactor: change rule for CVE-2021-42321 exploitation
 2021-11-24 13:42:17 +01:00
Florian Roth 88cc418b98 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-24 13:42:00 +01:00
Florian Roth ed021f1bd4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-24 12:37:55 +01:00
Florian Roth 236b69e6f7 Update win_exchange_cve_2021_42321.yml 2021-11-24 12:37:51 +01:00
phantinuss b807aba67a fix: key/value 2021-11-24 11:41:02 +01:00
phantinuss 30b57f33ed rule: rundll calling shell32 with dll in suspicious location 2021-11-24 10:56:58 +01:00
Florian Roth 4a69c71b2f Update lnx_shell_clear_cmd_history.yml 2021-11-24 09:31:12 +01:00
Florian Roth 94c61bf07a Update lnx_shell_clear_cmd_history.yml 2021-11-24 09:29:48 +01:00
Florian Roth 9f14e70746 Merge pull request #2303 from secjunkie/master 
Update lnx_shell_clear_cmd_history.yml
 2021-11-24 09:28:06 +01:00
Florian Roth 2c07bd562f Merge pull request #2301 from SigmaHQ/rule-devel 
refactor: reworked psexec / paexec rules
 2021-11-24 09:27:35 +01:00
frack113 a28154dba0 Merge pull request #2302 from frack113/fix_field 
fix field name
 2021-11-24 06:20:59 +01:00
frack113 a1db916851 Merge pull request #2299 from frack113/update_FP 
Update detection win_system_defender_disabled.yml
 2021-11-24 06:20:32 +01:00
frack113 bf9b3844a6 Merge pull request #2298 from austinsonger/kubernetes-cronjob 
Kubernetes cronjob
 2021-11-24 06:20:16 +01:00
Florian Roth 424bed1915 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-24 00:27:45 +01:00
Florian Roth 37b445d3bb fix: FPs that only show up in Aurora 
Sysmon configs are often too restricted
 2021-11-24 00:27:43 +01:00
secjunkie b76d000f26 Update lnx_shell_clear_cmd_history.yml 
cat and ln can use zero or null
chattr does not clear but stops further logging
 2021-11-23 23:06:23 +00:00
frack113 b81b5666ce fix field name 2021-11-23 18:47:42 +01:00
Florian Roth 33c5e027d3 refactor: psexec flags 2021-11-23 18:00:48 +01:00
Florian Roth 99fc5fc3cc refactor: reworked psexec / paexec rules 2021-11-23 16:34:31 +01:00
Florian Roth f1c31bda02 fix: FPs noticed in Suspicious System.Drawing Load 2021-11-23 12:33:11 +01:00
Florian Roth 0a682f6fe0 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-11-23 09:37:23 +01:00
Florian Roth 614046c241 fix: missing filter in condition 2021-11-23 09:37:20 +01:00
frack113 b764153d4f Update detection 2021-11-23 08:16:10 +01:00
Austin Songer 70d1e6d0f3 Update azure_kubernetes_cronjob.yml 2021-11-22 22:45:35 -06:00
Austin Songer 253ec56d1c Create azure_kubernetes_cronjob.yml 2021-11-22 22:40:06 -06:00
Austin Songer 5c118eef46 Create gcp_kubernetes_cronjob.yml 2021-11-22 22:39:39 -06:00
Florian Roth f2585f44da fix: bug in filter 2021-11-22 21:30:19 +01:00
Florian Roth 7468d495ff fix: FP with LSASS access rule 2021-11-22 21:29:21 +01:00
Florian Roth 42571791b3 Merge branch 'rule-devel' into aurora-false-positive-fixing 2021-11-22 15:24:46 +01:00
Florian Roth 2c5631f1bf Merge branch 'master' into aurora-false-positive-fixing 2021-11-22 15:23:43 +01:00
Florian Roth 68e4864069 fix: exclusions in new WinRAR rule 2021-11-22 15:23:28 +01:00
Florian Roth e778372d1f Merge pull request #2295 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-22 15:19:05 +01:00
Florian Roth 8fc93d3340 refactor: generic lsass access filter 2021-11-22 15:05:56 +01:00
Florian Roth 75663ceb46 rule: file creation LPE CVE-2021-41379 2021-11-22 14:15:51 +01:00
Florian Roth 9a2e7a23fa docs: tags for CVE-2021-41379 2021-11-22 14:06:50 +01:00