security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,309 Commits 1 Branch 57 Tags
ba91bb42e5fc5d4c990860c5301fd39d2a5c01f1
Commit Graph

1111 Commits

Author SHA1 Message Date
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Florian Roth bea6f18d35 Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared 
Making a derived detection for system/application/security event logs…
 2022-05-20 20:56:00 +02:00
Tim Shelton 600a7cd0e8 Re-adding accidently removed entry 2022-05-19 17:16:39 +00:00
Tim Shelton 60e6a147b4 merging remote change 2022-05-19 16:11:58 +00:00
Tim Shelton 3f6cabcae8 Updating to include match on Channel 2022-05-19 16:08:34 +00:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth 003e5bee6d Merge pull request #3018 from SigmaHQ/rule-devel 
refactor: rule addition
 2022-05-19 07:50:36 +02:00
Florian Roth 28e0e157fe Update win_system_susp_eventlog_cleared.yml 2022-05-17 21:32:00 +02:00
Tim Shelton 60a38a95ef removing duplicate keywords entry 2022-05-17 18:54:01 +00:00
Tim Shelton b5b7adcb9c Making a derived detection for system/application/security event logs being cleared, vs any in general. fp due to custom applications clearing their eventlog 2022-05-17 18:49:54 +00:00
Tim Shelton 4bafd1317b User meant to use service vs category. currently no category assignment for "system". We need a unit test to detect new sections here, vs backends. this was untested in the field. 2022-05-16 22:18:35 +00:00
Florian Roth 73706c96ab fix: missing modified date mod 2022-05-16 17:24:26 +02:00
Tim Shelton 9d4ce6db7d FP: filter m$ removaltools from %system32%\MRT.exe and reducing level to low from medium. Task removal could possibly even be just informational. 2022-05-16 14:48:01 +00:00
Florian Roth 54d5f3ad67 Merge branch 'master' into rule-devel 2022-05-16 16:05:12 +02:00
Florian Roth 9138730dd6 keylogger keyword extended 2022-05-16 16:03:52 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
Florian Roth 9e218149d9 Merge pull request #3008 from SigmaHQ/rule-devel 
refactor: AV rules, changes, new PW protected ZIP rules
 2022-05-12 17:38:11 +02:00
Florian Roth 1b9ce19b2c fix: several issues 2022-05-12 17:30:30 +02:00
Florian Roth 2cd5a93fb6 refactor: update antivirus rules 2022-05-12 17:19:46 +02:00
Florian Roth ee3aba2541 Merge pull request #3005 from BlackB0lt/patch-27 
Create win_security_krbrelayup_service_installation.yml
 2022-05-12 13:01:44 +02:00
Florian Roth fe312319d3 Update win_security_krbrelayup_service_installation.yml 2022-05-12 13:01:24 +02:00
frack113 69b4bd551c Merge pull request #3004 from redsand/fp_dnsZoneScope 
filtering out dnsZoneScope
 2022-05-12 06:56:50 +02:00
Sittikorn S 800669d90c Update win_security_krbrelayup_service_installation.yml 2022-05-11 18:59:37 +07:00
Sittikorn S df8c6c118f Create win_security_krbrelayup_service_installation.yml 
Detects service creation from KrbRelayUp tool
 2022-05-11 18:59:14 +07:00
Tim Shelton d072472b25 filtering out dnsZoneScope 2022-05-10 21:29:05 +00:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Florian Roth 4e7ceae0e1 rule: added another keyword 2022-05-09 18:33:34 +02:00
Florian Roth ec4beca37b Merge branch 'master' into rule-devel 2022-05-09 18:03:29 +02:00
Florian Roth 9d87716dfb rule: encrypted ZIP files 2022-05-09 18:03:16 +02:00
Florian Roth cc68a89ad0 refactor: moved rule 2022-05-09 18:02:36 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tobias Michalski b1c395d65c fix: Rule Creating way too many FPs to be high 2022-05-06 15:56:08 +02:00
Florian Roth 73c6bea167 Merge pull request #2979 from SigmaHQ/rule-devel 
rules: more suspicious service registrations
 2022-05-05 18:57:08 +02:00
Tim Shelton 6156a5653b Removing FP of dnsNode updates. Not related to account access 2022-05-05 16:45:01 +00:00
Florian Roth 17a1a035c5 doc: change titles to avoid duplicates 2022-05-04 11:30:30 +02:00
Florian Roth 5a619f5bab Merge pull request #2977 from phantinuss/master 
fix: FPs in prod environment
 2022-05-02 16:51:38 +02:00
phantinuss 97de80a9e1 fix: FPs in prod environment 2022-05-02 16:44:15 +02:00
Florian Roth e76322ff5a Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-05-02 16:38:01 +02:00
Florian Roth b19c3e154c fix: FPs with new NTLMv1 rule 2022-05-02 16:32:18 +02:00
phantinuss 06725ecfcb fix: FPs found at prod environment 2022-04-29 15:07:58 +02:00
Florian Roth f695443c4c Merge pull request #2969 from SigmaHQ/new-source-terminalservices 
New source terminalservices
 2022-04-29 13:25:12 +02:00
Florian Roth 7094565977 fix: description 2022-04-29 13:10:36 +02:00
Florian Roth 2df291fe0a rule: ngrok to remote desktop service 2022-04-29 12:25:38 +02:00
Florian Roth c62e6b572c fix: modified date 2022-04-28 20:41:13 +02:00
Florian Roth 9b480e360c fix: FPs noticed with Aurora 2022-04-28 20:40:19 +02:00
Florian Roth eff701c249 Merge pull request #2951 from SigmaHQ/rule-devel 
Improved KrbRelayUp rules
 2022-04-27 12:02:26 +02:00
Florian Roth 84935bbcc6 refactor: tightened krbrelayup rule 2022-04-27 11:54:51 +02:00
Florian Roth a4b871acfb Merge pull request #2950 from SigmaHQ/rule-devel 
rules: KrbRelayUp, EventVwr bypass
 2022-04-27 11:04:01 +02:00
Florian Roth 5f95b88a52 Revert "refactor: field IpAddress in ID 4624/4625 refactoring" 
This reverts commit a6e7866faa.
 2022-04-27 10:54:41 +02:00