security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,491 Commits 1 Branch 57 Tags
a75f4430332eccc8a8bafd000fdc848cd1ca89af
Commit Graph

148 Commits

Author SHA1 Message Date
Florian Roth c5e183cf2e Merge pull request #3432 from SigmaHQ/rule-devel 
Create Stream Hash Rules
 2022-08-25 14:17:50 +02:00
Florian Roth 6a81603d28 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-08-24 16:51:27 +02:00
Florian Roth 4baa18bd33 refactor: added transfer.sh domain 2022-08-24 16:51:26 +02:00
Yamato Security 1faef2fa97 fix backend bool conversion errors 2022-08-24 09:23:35 +09:00
frack113 991560a746 Merge pull request #3392 from ionsor/patch-5 
Create net_connection_win_dead_drop_resolvers.yml
 2022-08-18 18:29:45 +02:00
Feathers 9f2ab4e047 Update net_connection_win_dead_drop_resolvers.yml 
added few more apps to which are triggering false positives and comments to identify the process with the application
 2022-08-17 18:43:47 +02:00
Feathers 41c3ea16b1 Update net_connection_win_dead_drop_resolvers.yml 
corrected the MITRE tags
 2022-08-17 18:14:43 +02:00
Feathers 60ac757cf2 Create net_connection_win_dead_drop_resolvers.yml 
This detection is an attempt to spot dead drop resolvers for ones which don't have packet inspection. Most often dead drop resolvers are initiated from malware itself which makes it easy to detect since most often users access social media websites from internet browsers.
 2022-08-17 16:09:11 +02:00
Florian Roth eeeae44db5 Merge branch 'master' into rule-devel 2022-08-17 09:14:47 +02:00
Florian Roth 96276dc36e Rule Updates / New Rules 2022-08-17 09:14:13 +02:00
phantinuss 48f8f788e8 fix: FP in testing from localhost to localhost from BITs service 2022-08-16 17:02:49 +02:00
frack113 3426dfb6e9 Update backslash 2022-08-13 09:59:31 +02:00
Nasreddine Bencherchali b905df6bc7 Updates + New Rules 2022-08-09 18:35:45 +01:00
phantinuss 43ac43c70d fix: FP found in testing 2022-08-09 10:56:00 +02:00
Florian Roth 68ff364654 Merge branch 'master' into rule-devel 2022-08-05 12:17:36 +02:00
Florian Roth d5f7de1314 Merge pull request #3324 from SigmaHQ/rule-devel 
Suspicious IIS Registration, Plink refactoring, remove Github compromise rules
 2022-08-05 09:39:41 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Florian Roth 3c67479ce2 Merge pull request #3318 from SigmaHQ/rule-devel 
rule: myjino github repo compromise
 2022-08-03 08:42:17 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
phantinuss 51db91352a fix: FP found in testing environment 2022-07-29 16:00:19 +02:00
Florian Roth c79715049d refactor: improved susp com rule 2022-07-22 12:47:54 +02:00
Florian Roth abe97c6ba8 Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm 
False positive from amazon ssm agent updater connecting to local ip a…
 2022-07-20 14:03:41 +02:00
Tim Shelton 785a31025c False positive from amazon ssm agent updater connecting to local ip address on this port 2022-07-18 19:51:00 +00:00
Florian Roth 864da0680d rule: communication to ngrok.io 2022-07-16 08:15:32 +02:00
Florian Roth 6217eb2a26 Merge pull request #3224 from frack113/rpc_135 
RPC epmap tools
 2022-07-14 21:58:13 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
frack113 97cd835d34 Update description 2022-07-14 17:30:06 +02:00
frack113 09841c9caf Add net_connection_win_susps_epmap 2022-07-14 17:25:56 +02:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth 881890177b rule: suspicious network connections no cmdline 2022-07-03 15:58:54 +02:00
Florian Roth b4751520c5 refactor: more domains 2022-07-03 15:58:36 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Tim Shelton 80ee980b1d False positive from SentinelOne Ranger Agent 2022-06-19 14:31:10 +00:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 32169dbc33 chore: harmonization of generic 'nt system' user checks 
also a simple (non-commprehensive) test case to find
usages of localized user names
 2022-05-27 15:16:31 +02:00
Tim Shelton b1cbac0ae3 Adjusting condition 2022-05-26 18:39:22 +00:00
Tim Shelton 8ac66efd73 updating modified 2022-05-26 18:17:40 +00:00
Tim Shelton 13d68d9671 False positive on IBM Client Solutions 2022-05-26 18:16:55 +00:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth e76322ff5a Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-05-02 16:38:01 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Florian Roth 96628bf7c0 Merge pull request #2960 from elhoim/mobsync_network2 
New rule for suspicious network connections from Microsoft Sync Center
 2022-04-29 13:25:56 +02:00
Florian Roth a157d5d949 rule: RDP to 80/tcp or 443/tcp 2022-04-29 12:03:07 +02:00
Florian Roth e322866c71 fix: indentation 2022-04-29 08:42:51 +02:00