security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

1034 Commits

Author SHA1 Message Date
Florian Roth b4245c561c Merge pull request #2836 from SigmaHQ/rule-devel 
fix: Service Installation 7045 field confusion
 2022-03-21 11:18:29 +01:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
Paul Hager 1fb583b225 fix: FP fix 2022-03-11 11:46:25 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
frack113 f9c0e21323 Refactor regex 2022-03-07 19:08:30 +01:00
frack113 5d4035ea05 Fix contains 2022-03-06 20:50:19 +01:00
frack113 67189b6e51 refactor regex 2022-03-06 20:40:21 +01:00
frack113 793bf99c85 refactor regex 2022-03-06 20:15:32 +01:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
phantinuss 952fb07d59 fix: remove Aurora filter out, no longer needed 2022-03-02 11:14:01 +01:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth b1ec01c289 fix: TiWorker.exe FW change 2022-02-22 13:58:21 +01:00
Florian Roth 70220eaced fix: last FPs 2022-02-22 13:53:28 +01:00
Florian Roth 679461082c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-22 13:43:59 +01:00
Florian Roth b983330310 fix: more fixes 2022-02-22 13:42:39 +01:00
Florian Roth 7a2216c7be Merge branch 'master' into aurora-false-positive-fixing 2022-02-22 13:37:58 +01:00
Florian Roth cc9a5b4b07 fix: FPs with new rules 2022-02-22 13:32:34 +01:00
frack113 af987fb1a0 Set to low as too many FP 2022-02-22 09:38:10 +01:00
Florian Roth 118e28dbb6 Merge pull request #2708 from frack113/firewall_as 
Add firewall-as basic rules
 2022-02-22 08:54:00 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00
Florian Roth 36b0a13e0f fix: better way to filter these events 2022-02-11 12:00:08 +01:00
Florian Roth 55a2fdd1c3 fix: FP noticed with Aurora 2022-02-11 11:58:30 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 3b67b44b82 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-09 18:18:59 +01:00
Florian Roth 2bbf6089ed fix: FPs, wrong modifier 2022-02-09 18:18:57 +01:00
Florian Roth 42ecaf2254 Merge branch 'master' into aurora-false-positive-fixing 2022-02-09 17:59:16 +01:00
Florian Roth 0d3c7aafe8 fix: FPs with Microsoft Defender LSASS ASR events 2022-02-09 17:24:29 +01:00
Florian Roth a60426e4a2 Update win_alert_lsass_access.yml 2022-02-07 15:43:04 +01:00
phantinuss ed2025e626 fix: FPs 2022-02-07 15:32:15 +01:00
Florian Roth 44221ed95e fix: Aurora Sigma rule matches in application log 2022-02-05 21:38:10 +01:00
Florian Roth 48aeae8ca9 Merge pull request #2631 from JSHOX1/patch-1 
Create win_susp_ntlm_brute_force.yml
 2022-02-04 00:49:27 +01:00
Florian Roth e6fb282064 Merge pull request #2637 from ruppde/master 
Update win_av_relevant_match.yml
 2022-02-03 22:28:19 +01:00
Florian Roth 20463ed18e Update win_susp_ntlm_brute_force.yml 2022-02-03 22:02:33 +01:00
Florian Roth 46f094d6f9 Merge pull request #2635 from SigmaHQ/rule-devel 
refactor: avoid regex use
 2022-02-03 21:56:58 +01:00
Arnim Rupp aab00905f1 Update win_av_relevant_match.yml 
Add Ransomware and Cobalt Strike strings.
 2022-02-03 21:43:42 +01:00