security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,800 Commits 1 Branch 57 Tags
e73816bb224db05ab98dc35b71f47cf4302ded75
Commit Graph

122 Commits

Author SHA1 Message Date
Florian Roth dfbaadf932 fix: FPs - extended filter 2021-11-20 13:01:24 +01:00
Florian Roth 5b8b622658 fix: too many false positives with WMI Modules Loaded 2021-11-20 11:54:19 +01:00
Florian Roth 1fffb57df0 fix: FPs with different rules 2021-11-20 11:33:43 +01:00
Florian Roth 4acbb15713 Merge branch 'master' into rule-devel 2021-11-19 15:52:21 +01:00
Florian Roth 86f7c2b9f9 fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00
Florian Roth 23220e7d78 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-11-17 19:00:06 +01:00
Florian Roth c71d9dba89 fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00
frack113 0605a1c64e add WMIC.exe 2021-11-17 16:37:27 +01:00
Florian Roth dcfc9d562e fix: more false positives 2021-11-17 10:27:02 +01:00
Florian Roth 7d4e3fd2ed fix: more false positive fixes 2021-11-16 23:27:00 +01:00
Florian Roth 8d6d8c2c92 fix: several FPs 2021-11-16 17:30:23 +01:00
Florian Roth d29c353718 refactor: unnecessary filter 2021-11-16 13:47:41 +01:00
Florian Roth daff947d4b refactor: fixes without CommandLine field in ImageLoad events 2021-11-16 13:46:15 +01:00
Florian Roth 5e14b73b9c fix: FP with logman.exe 2021-11-16 13:39:32 +01:00
Florian Roth 2383b2b76b fix: problem with empty string 2021-11-16 13:33:00 +01:00
Florian Roth 98073049ba fix: FPs with Load of dbghelp/dbgcore DLL from Suspicious Process 2021-11-16 13:11:11 +01:00
Florian Roth 2448691ad0 fix: FPs 2021-11-16 13:04:52 +01:00
Tim Shelton a1c85108fa Updating author and date modified 2021-11-11 20:37:34 +00:00
Tim Shelton 9b469f21a2 adds microsoft sql server mgmt studio to allow list, along with note 2021-11-10 17:38:15 +00:00
Tim Shelton dda204bd51 updating yaml 2021-11-04 18:56:07 +00:00
Tim Shelton e266491f0a adding obsoletes tags 2021-11-04 18:36:55 +00:00
Tim Shelton 1ae596b634 removing rule 867613fb-fa60-4497-a017-a82df74a172c . this is a duplicate of 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f and does not contain an allow list of known processes. 2021-11-04 17:07:00 +00:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 fd329f4f9b Remove unneeded EventID 2021-10-04 21:25:57 +02:00
Florian Roth 4161cd909f docs: changed description 2021-09-27 23:12:18 +02:00
Florian Roth ada966c5be Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-09-27 22:34:30 +02:00
Florian Roth 97bb6a0257 rule: NOBELIUM FoggyWeb 2021-09-27 22:28:25 +02:00
frack113 5fc82e5dc6 split global sysmon_tttracer_mod_load.yml 2021-09-21 10:39:02 +02:00
frack113 dc8ad15d1a split win_exchange_transportagent.yml 2021-09-19 11:03:16 +02:00
frack113 18e7e16005 split win_mal_adwind.yml 2021-09-19 10:12:03 +02:00
frack113 416b0556b1 split win_silenttrinity_stage_use.yml 2021-09-19 10:02:05 +02:00
frack113 ffbeec134d Update image_load_wmiprvse_wbemcomn_dll_hijack.yml 2021-09-09 19:56:20 +02:00
frack113 d9cd1652f2 Split global sysmon rules 2021-09-09 16:11:41 +02:00
Thomas Patzke d9edc9f0e3 Merge branch 'fix' 2021-09-08 00:19:09 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
Florian Roth cfbde22d2d rule: PRIVATELOG image load 2021-09-07 10:10:14 +02:00
frack113 a6bb5574fb Update global id 2021-09-03 06:35:35 +02:00
frack113 ace46c17be Update cve tags 2021-08-24 10:27:27 +02:00
frack113 768855e6d6 update modified after FP fix 2021-08-18 18:17:53 +02:00
Florian Roth 44013e25c8 fix: FPs with WMIADAP.exe 2021-08-18 17:26:57 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Florian Roth 7f071d7851 Merge pull request #1554 from mlp1515/master 
Update win_multiple_suspicious_cli.yml
 2021-07-12 10:43:26 +02:00
Thomas Patzke 0b83c12dd1 Merge branch 'devel-tp' 2021-07-12 10:21:19 +02:00
Thomas Patzke 0b590aba5d Adjusted Spool Service DLL load rule 2021-07-11 09:29:43 +02:00
Florian Roth 58a634b0b6 Merge branch 'master' into master 2021-07-11 00:32:55 +02:00
Florian Roth db8cc0ee2d Merge pull request #1656 from SigmaHQ/rule-devel 
rule: suspicious vss ps load / PrinternightMare updates
 2021-07-08 15:03:28 +02:00
Florian Roth 2055f78780 refactor: make the rule more usable 2021-07-08 09:05:57 +02:00
Florian Roth 79338b2dbd fix: title 2021-07-08 08:33:46 +02:00
Florian Roth 96ea35fd92 rule: suspicious vss ps load 2021-07-07 18:21:57 +02:00