security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,068 Commits 1 Branch 57 Tags
ab7d7dbed800d52acd720f8534b4e28bcaa248dc
Commit Graph

200 Commits

Author SHA1 Message Date
Florian Roth 5ec29f38f8 Merge branch 'master' into aurora-false-positive-fixing 2022-05-16 16:05:02 +02:00
Florian Roth 55d5766bf9 fix: FPs with lsass as source 2022-05-16 16:04:13 +02:00
Tim Shelton ca6b4d7862 FP: fixing error in labels 2022-05-15 17:41:22 +00:00
Tim Shelton 1019015473 FP: ignoring vmware to systeminfo.exe 2022-05-15 17:35:02 +00:00
Tim Shelton 71249ff7e0 FP: ignoring microsoft vc redistributable when performing NtOpenProcess 2022-05-15 17:33:31 +00:00
Tim Shelton 67e78ef455 FP: ignoreing microsoft edge when performing NtOpenProcess 2022-05-15 17:23:53 +00:00
Florian Roth 2b0db86440 Merge pull request #3002 from phantinuss/master 
Various new Rule Tests
 2022-05-11 15:49:46 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Tim Shelton db6d32c6b9 Adding condition update 2022-05-09 23:55:37 +00:00
Tim Shelton 5f0ca05492 Adding FP filter for cylance 2022-05-09 23:54:40 +00:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Paul Hager aac1d47bef fix: fixed typo in rule 2022-04-13 19:27:11 +02:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth 811ed59e27 fix: FPs with Aurora and THOR 2022-03-20 16:18:18 +01:00
phantinuss 3ab601b334 fix: FP with Sysinternal's handle 2022-03-18 17:06:53 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth bd8306cd28 Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing 
fix: sadly still too many fps with this rule
 2022-03-16 18:15:23 +01:00
Florian Roth 426b3a0906 Merge pull request #2796 from d4rk-d4nph3/master 
Added rule for shellcode injection by Metasploit and Empire
 2022-03-16 15:34:03 +01:00
Florian Roth 4445ea6baf fix: sadly still too many fps with this rule 2022-03-16 15:21:27 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 7ee62d7f69 Merge branch 'master' into rule-devel 2022-03-14 11:38:44 +01:00
Florian Roth a9b7c365cd docs: adjusted description 2022-03-13 23:30:44 +01:00
Florian Roth 7e0928233b refactor: split up lsass access rule in two 
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
 2022-03-13 23:29:54 +01:00
frack113 c5c72124b1 WindowsUpdate FP 2022-03-13 19:22:08 +01:00
Bhabesh d7d9a19cd4 Added rule for shellcode injection by Metasploit and Empire 2022-03-11 20:05:22 +05:45
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7922becd0b Fix FP new install 2022-03-04 16:53:30 +01:00
Florian Roth 1eedcc3659 fix: FPs with MalwareBytes software 2022-02-27 19:01:39 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski e89867848d Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:27:57 +01:00
Tobias Michalski 4a6ab42c6b Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:09:47 +01:00
Tobias Michalski 662e5ed66d fix: False Positives 2022-02-24 10:35:31 +01:00
Florian Roth cbe7abc16e Merge branch 'master' into aurora-false-positive-fixing 2022-02-21 18:49:45 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
phantinuss f2be1ed1b8 fix: FPs 2022-02-18 13:04:25 +01:00
phantinuss ac8cd7516a fix: single list items 2022-02-16 16:31:11 +01:00
phantinuss 5aee70f7d5 fix: exclude common FPs occuring on test system 2022-02-16 16:31:11 +01:00
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
Florian Roth 69fcbc138e fix: FPs noticed with Aurora 2022-02-08 09:34:53 +01:00
Florian Roth fada8df7d4 fix: FP notices with Aurora 2022-02-05 21:40:03 +01:00
Florian Roth 0e5846aced fix: remove new line 2022-02-03 21:54:16 +01:00
Florian Roth 15dfdd8262 fix: FPs noticed with Aurora 2022-02-03 21:53:26 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00