security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,561 Commits 1 Branch 57 Tags
b4bce46c656e4bf20fbe8560fbb24bf0cf9e7c86
Commit Graph

8810 Commits

Author SHA1 Message Date
phantinuss b4bce46c65 fix: technically filter THOR checking for BlueKeep vuln 2022-06-29 17:07:04 +02:00
Florian Roth 6709a2dbaf Merge pull request #3177 from redsand/level_reduce_suspicious_failed_logins 
Reducing the level of Account Tampering - Suspicious Failed Logon Reasons
 2022-06-29 16:50:44 +02:00
Florian Roth 71edfa3550 Merge pull request #3176 from redsand/fp_reorder_system_ignore_all 
False positive whre system needs to be filtered first against any wri…
 2022-06-29 16:50:25 +02:00
Tim Shelton 78ff2fb70f Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating. 2022-06-29 13:32:19 +00:00
Tim Shelton ef4d3efa3a False positive whre system needs to be filtered first against any writes, as its related to drivers especially backups 2022-06-29 13:25:24 +00:00
Florian Roth 3607cf878c fix: FP with explorer.exe 2022-06-29 13:22:35 +02:00
Florian Roth fd7b8d1c4f fix: FPs 2022-06-29 13:20:57 +02:00
frack113 afc3625791 Merge pull request #3161 from alexmcdonald1124/msra-injection 
Msra.exe process injection rule
 2022-06-29 06:30:00 +02:00
Florian Roth 2da48f5052 Merge pull request #3167 from SigmaHQ/rule-devel 
Rules: Bitsadmin coverage and minor improvements
 2022-06-28 17:25:03 +02:00
Florian Roth 991ff677c3 rule: bitsadmin coverage 2022-06-28 15:34:19 +02:00
Florian Roth 6f26e26846 rules: bitsadmin coverage 2022-06-28 15:16:52 +02:00
Florian Roth c9007cb3ed Merge pull request #3165 from redsand/fp_conflict_with_filter_and_selection 
Comparison conflict found between selection and filtere. In favor of …
 2022-06-27 23:59:20 +02:00
Florian Roth f54f660efb Merge pull request #3164 from pH-T/master 
rule cleanup and new rules
 2022-06-27 23:58:05 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 10dfd7d063 fix: FP found in webserver logs 2022-06-27 16:46:18 +02:00
Paul Hager d7f983340b rule cleanup and new rules 2022-06-27 16:35:22 +02:00
Florian Roth 46e22d6d73 rule: WerFault process memory dump 2022-06-27 15:53:06 +02:00
Florian Roth 19ef1c153f rule: werfault accessing lsass 2022-06-27 15:49:30 +02:00
Florian Roth be5ee96e6f refactor: lsass dump file, nano dump default 2022-06-27 15:49:15 +02:00
phantinuss e2a719a312 fix: typo 2022-06-27 08:47:30 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
frack113 281a7c8149 Add missing EventType 2022-06-26 17:41:23 +02:00
Florian Roth 1b08ee7916 Update proc_creation_win_msra_process_injection.yml 2022-06-25 08:47:36 +02:00
Alexander McDonald e740cbcaa3 Including id number per the error reported in testing 2022-06-24 16:55:10 -04:00
Alexander McDonald fd1be59f55 New experimental rule designed to find process injection 2022-06-24 16:44:40 -04:00
Florian Roth d78818e27d Merge pull request #3157 from d4rk-d4nph3/master 
To account for SyncAppvPublishingServer bypass
 2022-06-22 21:28:38 +02:00
Florian Roth cdfd908627 Merge branch 'master' into rule-devel 2022-06-22 21:16:29 +02:00
Florian Roth a876da1ad7 fix: FP with ProcessExpl 2022-06-22 21:15:21 +02:00
Florian Roth 940e4149f7 fix: wrong rule title 2022-06-22 21:15:00 +02:00
frack113 5cebc1ab88 Merge pull request #3158 from redsand/fp_printspooler_timeout 
False positive when print dll times out when attempting to register
 2022-06-22 21:08:40 +02:00
Tim Shelton ae50b42b2b False positive when print dll times out when attempting to register 2022-06-22 14:42:07 +00:00
Bhabesh 7afe938d49 Fixed the missing all modifier 2022-06-22 15:14:39 +05:45
Bhabesh d9836d9fe4 Fixed my rule bug 2022-06-22 15:13:51 +05:45
Bhabesh f55e3451cf Removed bypass for SyncAppvPublishingServer 2022-06-22 15:12:17 +05:45
Florian Roth 567d8e4e24 Merge pull request #3146 from frack113/redcanary_20220619 
Add registry_set_timeproviders_dllname
 2022-06-22 10:26:15 +02:00
Florian Roth a601ce4098 Merge pull request #3145 from frack113/chromeloader 
Add proc_creation_win_chrome_load_extension
 2022-06-22 10:26:07 +02:00
Florian Roth fedc465b00 Merge pull request #3155 from SigmaHQ/rule-devel 
Linux - suspicious command lines
 2022-06-22 10:25:42 +02:00
Florian Roth 926d72f7c2 fix: missing upper tick 2022-06-22 07:07:38 +02:00
Florian Roth e04003577f Update proc_creation_lnx_susp_history_recon.yml 2022-06-22 07:05:03 +02:00
Florian Roth fe72dbf62f Update proc_creation_lnx_susp_history_delete.yml 2022-06-22 07:04:30 +02:00
Bhabesh 023306e09f Added alternative cmd format 2022-06-22 10:16:39 +05:45
Nasreddine Bencherchali efbfc7fe67 New Rule (https://twitter.com/nas_bench/status/1537919885031772161) 2022-06-21 19:13:53 +01:00
Nasreddine Bencherchali e25ad42b5b Reverted Rule + New Rule 2022-06-21 19:03:47 +01:00
Nasreddine Bencherchali 0c2f1bfce5 Fix review comments 2022-06-21 17:22:39 +01:00
Florian Roth 8096f06c18 fix: condition 2022-06-21 17:55:49 +02:00
Florian Roth ffbe19404e fix: two rules 2022-06-21 17:45:50 +02:00
Florian Roth c2c25acbb6 docs: rules adjusted 2022-06-21 17:21:55 +02:00
Florian Roth 3f189e52c1 fix: typo in status 2022-06-21 17:21:44 +02:00
Nasreddine Bencherchali 11dca18b5b Merge branch 'SigmaHQ:master' into master 2022-06-21 15:57:06 +01:00
Nasreddine Bencherchali f12f6e3646 Update ID's 2022-06-21 15:46:00 +01:00