security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

91 Commits

Author SHA1 Message Date
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 57271c3c00 fix: bugs in rules 2022-02-16 17:26:57 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
Florian Roth 4b09e643c2 fix: condition in malware back connect rule 2022-02-02 13:48:56 +01:00
frack113 90334e7f7c Redcannary windows test 2022-01-23 11:37:01 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 12f0d6dfab Windows Redcannary 2022-01-16 14:47:56 +01:00
frack113 af99c75785 Windows Redcannary 2022-01-08 09:17:56 +01:00
Tim Shelton e596dab472 Allows PasswordState to initiate rdp connections, per feature "Passwordstate Remote Session Launcher" https://www.clickstudios.com.au/downloads/version9/Passwordstate_Remote_Session_Launcher_Gateway_Install_Guide.pdf 2021-12-29 14:27:22 +00:00
Florian Roth f37603ab60 fix: filter FPs with Microsoft cloud 2021-12-27 19:47:32 +01:00
Florian Roth d88f6b2208 Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-16 20:34:30 +01:00
Florian Roth 84e5d60bbc fix: FPs noticed with Aurora 2021-12-16 19:54:22 +01:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth 50ddc5f3ab style: new best practice filter condition 2021-12-07 20:58:03 +01:00
Tim Shelton f08a264986 fixing space 2021-12-07 19:47:13 +00:00
Tim Shelton d4b71dff88 Adding filter for ipv6 local for rundll32 net connections 2021-12-07 19:44:29 +00:00
Florian Roth 6c72657902 rule: Communication To Mega.nz 2021-12-06 18:35:04 +01:00
Tim Shelton b1f7cf21dd adding tomcat8 to allowed kerberos outbound. 2021-12-02 14:55:12 +00:00
Tim Shelton 1e97156684 Fixing conflict where both selection and filter have the same value. 2021-12-01 17:29:00 +00:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 f47d0da3f7 add missing MITRE Techniques 2021-11-20 12:26:01 +01:00
Florian Roth 1661c61147 Merge pull request #2250 from securepeacock/patch-5 
Create sysmon_excel_outbound_network_connection.yml
 2021-11-12 13:05:02 +01:00
securepeacock 27a72f10fe Update sysmon_excel_outbound_network_connection.yml 
I got an error for level field, I'm guessing it was due to a capital M and it's case sensitive.
 2021-11-11 21:57:44 -05:00
securepeacock e514567a82 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:50:10 -05:00
securepeacock e207596041 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:46:24 -05:00
securepeacock 1d58c79386 Update sysmon_excel_outbound_network_connection.yml 2021-11-11 21:44:07 -05:00
securepeacock b4da880a9f Update sysmon_excel_outbound_network_connection.yml 
Updated per Florian's recommendations, please let me know if there's anything else.
 2021-11-11 19:49:16 -05:00
Florian Roth 81922af134 Merge pull request #2249 from redsand/add_allow_for_dns_exe_via_dc 
Add allow for dns exe via dc
 2021-11-11 17:22:32 +01:00
securepeacock 361660e42c Update sysmon_excel_outbound_network_connection.yml 2021-11-10 15:28:19 -05:00
securepeacock 352b62241b Create sysmon_excel_outbound_network_connection.yml 2021-11-10 15:18:16 -05:00
frack113 95b9cd3d35 fix detection 2021-11-10 19:40:10 +01:00
Tim Shelton 52d0cb67eb adding additional allow for dns service (domain controllers) 2021-11-10 17:09:15 +00:00
Florian Roth fcecb951d5 Merge branch 'master' into rule-devel 2021-10-26 22:03:55 +02:00
Florian Roth ab499c9c21 rules: crypto coin mining 2021-10-26 08:52:07 +02:00
frack113 fd329f4f9b Remove unneeded EventID 2021-10-04 21:25:57 +02:00
frack113 0884a70e28 fix tests.py error 2021-09-21 10:52:37 +02:00
frack113 4c85858e12 split global sysmon_regsvr32_network_activity.yml 2021-09-21 10:33:47 +02:00
frack113 f90c7558a7 update global id 2021-09-02 21:03:25 +02:00
frack113 2cb5f5e4c6 add missing tags 2021-09-01 12:54:21 +02:00
Florian Roth 58a634b0b6 Merge branch 'master' into master 2021-07-11 00:32:55 +02:00
Florian Roth c91eda7660 Merge pull request #1610 from cianmcgovern/powershell-network-connection 
Move ipv6 check to selection fields as filter is negated
 2021-07-08 14:53:36 +02:00
mlp1515 29a6a2d5fb Merge branch 'SigmaHQ:master' into master 2021-07-07 08:25:04 +02:00