security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

51 Commits

Author SHA1 Message Date
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
frack113 793bf99c85 refactor regex 2022-03-06 20:15:32 +01:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Tom Maier 2cd464e77c Adjusted modified field to current date 2022-01-17 14:18:33 +01:00
Tom Maier 82e7ce7799 Adjust case sensitivity of Provider_Name field 2022-01-17 10:36:09 +01:00
frack113 5890c1bb20 Fix logsource 2022-01-16 08:56:51 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
frack113 ac240b1487 Merge pull request #2527 from frack113/promote_366d 
Change status to test
 2022-01-09 08:02:36 +01:00
Florian Roth 3cf4c9845c Merge pull request #2530 from SigmaHQ/rule-devel 
docs: changed title of rules that were equal
 2022-01-07 14:15:17 +01:00
Florian Roth d31f5258eb docs: changed title of rules that were equal 2022-01-07 13:07:35 +01:00
frack113 c6014b1205 Change status to test 2022-01-07 07:04:24 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
Florian Roth baa1dcd608 Merge pull request #2417 from stbe/imp_lsass_defender 
Added Defender to win_susp_lsass_dump_generic.yml
 2021-12-10 00:00:22 +01:00
stbe 44db55c4fd Refined definition of defender executable 2021-12-09 22:55:09 +01:00
frack113 e049058d14 Merge pull request #2415 from frack113/condition 
builtin/security simplified condition
 2021-12-09 16:24:24 +01:00
stbe 20f185f2b8 Added Defender to win_susp_lsass_dump_generic.yml 2021-12-09 13:57:09 +01:00
Florian Roth af2c6a0ecb Lower the level to "low" 
In case that some backends/scripts/tools don't respect the "deprecated" status
 2021-12-09 13:01:12 +01:00
frack113 62207b80ba Change to deprecated as too many FP 2021-12-09 09:34:08 +01:00
frack113 3ce9336e79 simplified condition 2021-12-08 20:12:57 +01:00
Florian Roth 157fa31f1b Merge pull request #2400 from redsand/fixing_errs_with_invoke_obfus 
Fixing errs with invoke obfus
 2021-12-08 14:49:42 +01:00
stbe 7566207026 Corrected filter field name in win_pass_the_hash.yml 2021-12-08 14:03:13 +01:00
stbe 88b5e1bd9e Corrected filter field name in win_pass_the_hash_2.yml 2021-12-08 13:49:18 +01:00
Tim Shelton 3bf8eb6aff reverting modified date, batch 2 2021-12-07 17:55:52 +00:00
Tim Shelton d79a0e029b reverting modified date, batch 1 2021-12-07 17:53:50 +00:00
Tim Shelton c9e08884f6 updating date 2021-12-07 16:27:01 +00:00
Tim Shelton aa16afd09c updating date 2021-12-07 16:26:38 +00:00
Tim Shelton 3fa1624b68 order matters... need to use most intensive match last 2021-12-07 16:11:42 +00:00
Tim Shelton fddf423878 order matters... need to use most intensive match last 2021-12-07 16:10:33 +00:00
Tim Shelton 3873872381 order matters... need to use most intensive match last 2021-12-07 16:09:35 +00:00
Tim Shelton 8f20846524 order matters... need to use most intensive match last 2021-12-07 16:08:37 +00:00
Tim Shelton f31b3865ae order matters... need to use most intensive match last 2021-12-07 16:07:18 +00:00
Tim Shelton 8086c3446f order matters... need to use most intensive match last 2021-12-07 16:04:21 +00:00
Tim Shelton 9122b3c881 order matters... need to use most intensive match last 2021-12-07 16:03:09 +00:00
Tim Shelton 3fcda9704e order matters... need to use most intensive match last 2021-12-07 16:01:28 +00:00
Tim Shelton 31be528fa0 adding sql\query to name pipe list 2021-12-06 22:27:57 +00:00