security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,199 Commits 1 Branch 57 Tags
e10fa684bdd0254b5ba5102feae293b8564f4628
Commit Graph

109 Commits

Author SHA1 Message Date
phantinuss 32169dbc33 chore: harmonization of generic 'nt system' user checks 
also a simple (non-commprehensive) test case to find
usages of localized user names
 2022-05-27 15:16:31 +02:00
Tim Shelton b1cbac0ae3 Adjusting condition 2022-05-26 18:39:22 +00:00
Tim Shelton 8ac66efd73 updating modified 2022-05-26 18:17:40 +00:00
Tim Shelton 13d68d9671 False positive on IBM Client Solutions 2022-05-26 18:16:55 +00:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth e76322ff5a Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-05-02 16:38:01 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Florian Roth 96628bf7c0 Merge pull request #2960 from elhoim/mobsync_network2 
New rule for suspicious network connections from Microsoft Sync Center
 2022-04-29 13:25:56 +02:00
Florian Roth a157d5d949 rule: RDP to 80/tcp or 443/tcp 2022-04-29 12:03:07 +02:00
Florian Roth e322866c71 fix: indentation 2022-04-29 08:42:51 +02:00
David André 73b5f4412a Changed reference from default to correct URL 2022-04-28 14:45:31 +02:00
David ANDRE 55b23c4477 Added rule for suspicious (non-private IPs) network connections from mobsync 2022-04-28 14:21:39 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Florian Roth d9fbdd4a56 fix: missing filter 2022-04-21 07:54:58 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Florian Roth 25ecef1748 rule: dropbox api use 2022-04-20 17:54:01 +02:00
Max Altgelt e6dbb6ba00 feat: Add rule for equation editor network connections 2022-04-14 10:50:10 +02:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 57271c3c00 fix: bugs in rules 2022-02-16 17:26:57 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
Florian Roth 4b09e643c2 fix: condition in malware back connect rule 2022-02-02 13:48:56 +01:00
frack113 90334e7f7c Redcannary windows test 2022-01-23 11:37:01 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 12f0d6dfab Windows Redcannary 2022-01-16 14:47:56 +01:00
frack113 af99c75785 Windows Redcannary 2022-01-08 09:17:56 +01:00
Tim Shelton e596dab472 Allows PasswordState to initiate rdp connections, per feature "Passwordstate Remote Session Launcher" https://www.clickstudios.com.au/downloads/version9/Passwordstate_Remote_Session_Launcher_Gateway_Install_Guide.pdf 2021-12-29 14:27:22 +00:00
Florian Roth f37603ab60 fix: filter FPs with Microsoft cloud 2021-12-27 19:47:32 +01:00
Florian Roth d88f6b2208 Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-16 20:34:30 +01:00
Florian Roth 84e5d60bbc fix: FPs noticed with Aurora 2021-12-16 19:54:22 +01:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth 50ddc5f3ab style: new best practice filter condition 2021-12-07 20:58:03 +01:00
Tim Shelton f08a264986 fixing space 2021-12-07 19:47:13 +00:00
Tim Shelton d4b71dff88 Adding filter for ipv6 local for rundll32 net connections 2021-12-07 19:44:29 +00:00
Florian Roth 6c72657902 rule: Communication To Mega.nz 2021-12-06 18:35:04 +01:00
Tim Shelton b1f7cf21dd adding tomcat8 to allowed kerberos outbound. 2021-12-02 14:55:12 +00:00
Tim Shelton 1e97156684 Fixing conflict where both selection and filter have the same value. 2021-12-01 17:29:00 +00:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
Florian Roth 1661c61147 Merge pull request #2250 from securepeacock/patch-5 
Create sysmon_excel_outbound_network_connection.yml
 2021-11-12 13:05:02 +01:00
securepeacock 27a72f10fe Update sysmon_excel_outbound_network_connection.yml 
I got an error for level field, I'm guessing it was due to a capital M and it's case sensitive.
 2021-11-11 21:57:44 -05:00
securepeacock e514567a82 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:50:10 -05:00