security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,929 Commits 1 Branch 57 Tags
acdab65fcf2583966ced32a6e00a30fafc55db47
Commit Graph

220 Commits

Author SHA1 Message Date
frack113 bbf07649b1 MS Update FP 2022-07-27 08:09:11 +02:00
Florian Roth da1ad54a41 refactor: vulnerable driver loads 2022-07-26 14:56:28 +02:00
Nasreddine Bencherchali 524ea4bfeb Fix typo 2022-07-25 11:12:00 +01:00
Florian Roth e1afd68f40 docs: wording 2022-07-25 10:22:36 +02:00
Florian Roth 2cbdd50927 rule: vulnerable gigabyte driver load 2022-07-25 10:08:05 +02:00
Florian Roth fd30a06112 Merge pull request #3240 from nasbench/uac-bypass-image-load 
Iscsicpl UAC Bypass + Generic Rule
 2022-07-19 16:38:34 +02:00
Florian Roth 44b424e3cf refactor: WSMAN Provider Image Loads & empty cmdline 2022-07-18 13:55:14 +02:00
Nasreddine Bencherchali d32816f7a2 Iscsicpl UAC Bypass + Generic Rule 2022-07-18 11:50:55 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Florian Roth fda9c753e2 Update image_load_msdt_sdiageng.yml 2022-06-17 18:46:14 +02:00
Florian Roth 725cadc902 Update image_load_msdt_sdiageng.yml 2022-06-17 08:49:17 +02:00
eiger 764dbc4e3c Fix: Sigma title error 2022-06-17 14:40:01 +08:00
eiger e4ab54d60f Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:41:08 +08:00
eiger 7444869de3 Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:29:20 +08:00
eiger 21edcafa36 Rule: Follina or DogWalk exploit sdiageng.dll 2022-06-17 09:21:57 +08:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 465886d6e3 fix: FP found in testing 2022-05-27 15:16:30 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tobias Michalski cf608cf730 fix: false positive fix 2022-05-06 14:24:04 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski 15c61b42bf fix: Set rule to medium due to too many filters 2022-02-23 11:03:23 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
Florian Roth 98dbfe1ff6 fix: too many matches on many programs 
... running from every other locations
 2022-02-12 00:44:42 +01:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
frack113 54c2dcdafb Add CVE-2022–22718 2022-02-09 08:40:04 +01:00
Florian Roth 8aad83a737 fix: far too many FPs with new Advapi31.dll rule 2022-02-04 14:03:14 +01:00
frack113 d56261cd70 aurora OneDrive FP 2022-02-04 09:32:29 +01:00
Florian Roth 84660da583 Update image_load_susp_advapi32_dll.yml 2022-02-03 22:00:24 +01:00
frack113 1ac80bebf8 add image_load_susp_advapi32_dll 2022-02-03 18:54:34 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Florian Roth f77da595c4 fix: FPs noticed with Aurora 2022-01-12 11:32:34 +01:00
Florian Roth 0f8a3bc356 fix: FP noticed with Aurora 2022-01-06 21:06:29 +01:00
frack113 d74458a0e0 Windows 2019 2022-01-02 16:12:30 +01:00
frack113 7d200d95f3 Aurora FP 2021-12-27 17:13:17 +01:00
frack113 372023d3c0 Fix aurora FP 2021-12-16 09:45:50 +01:00
Florian Roth 2f43e6815b Merge pull request #2440 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-12 14:20:09 +01:00