security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

187 Commits

Author SHA1 Message Date
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth 811ed59e27 fix: FPs with Aurora and THOR 2022-03-20 16:18:18 +01:00
phantinuss 3ab601b334 fix: FP with Sysinternal's handle 2022-03-18 17:06:53 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth bd8306cd28 Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing 
fix: sadly still too many fps with this rule
 2022-03-16 18:15:23 +01:00
Florian Roth 426b3a0906 Merge pull request #2796 from d4rk-d4nph3/master 
Added rule for shellcode injection by Metasploit and Empire
 2022-03-16 15:34:03 +01:00
Florian Roth 4445ea6baf fix: sadly still too many fps with this rule 2022-03-16 15:21:27 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 7ee62d7f69 Merge branch 'master' into rule-devel 2022-03-14 11:38:44 +01:00
Florian Roth a9b7c365cd docs: adjusted description 2022-03-13 23:30:44 +01:00
Florian Roth 7e0928233b refactor: split up lsass access rule in two 
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
 2022-03-13 23:29:54 +01:00
frack113 c5c72124b1 WindowsUpdate FP 2022-03-13 19:22:08 +01:00
Bhabesh d7d9a19cd4 Added rule for shellcode injection by Metasploit and Empire 2022-03-11 20:05:22 +05:45
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7922becd0b Fix FP new install 2022-03-04 16:53:30 +01:00
Florian Roth 1eedcc3659 fix: FPs with MalwareBytes software 2022-02-27 19:01:39 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski e89867848d Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:27:57 +01:00
Tobias Michalski 4a6ab42c6b Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:09:47 +01:00
Tobias Michalski 662e5ed66d fix: False Positives 2022-02-24 10:35:31 +01:00
Florian Roth cbe7abc16e Merge branch 'master' into aurora-false-positive-fixing 2022-02-21 18:49:45 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
phantinuss f2be1ed1b8 fix: FPs 2022-02-18 13:04:25 +01:00
phantinuss ac8cd7516a fix: single list items 2022-02-16 16:31:11 +01:00
phantinuss 5aee70f7d5 fix: exclude common FPs occuring on test system 2022-02-16 16:31:11 +01:00
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
Florian Roth 69fcbc138e fix: FPs noticed with Aurora 2022-02-08 09:34:53 +01:00
Florian Roth fada8df7d4 fix: FP notices with Aurora 2022-02-05 21:40:03 +01:00
Florian Roth 0e5846aced fix: remove new line 2022-02-03 21:54:16 +01:00
Florian Roth 15dfdd8262 fix: FPs noticed with Aurora 2022-02-03 21:53:26 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
Florian Roth 8d5742e83e fix: fixing FPs with LSASS access mask in old rule 2022-01-29 18:17:46 +01:00
Florian Roth 7b05827326 fix: FPs noticed with Aurora 2022-01-28 17:26:51 +01:00
Florian Roth 82d5f4a511 fix: too many false positives with certain access masks 2022-01-27 09:08:40 +01:00
mhaag-spl b3b37719e7 Update sysmon_lsass_memdump.yml 
Updated Sysmon Lsass Memdump to detect other memory dumping techniques from mimikatz, nanodump, invoke-mimikatz, and so forth. This adds additional GrantedAccess permissions and adds ntdll.dll to CallTrace. Tested with Atomic Red Team T1003.001, MimiKatz, Invoke-Mimikatz and Cobalt Strike.
 2022-01-26 08:12:49 -07:00
frack113 6eeb0723ed Fix FP thanks aurora 2022-01-21 13:14:35 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Florian Roth f27a8c96d1 Merge pull request #2556 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-01-13 21:04:22 +01:00
Florian Roth 56097703f1 fix: FP detected with Aurora 2022-01-13 09:17:42 +01:00
Bhabesh 6554556c14 Added two filters to reduce FP 2022-01-12 12:55:07 +05:45
Florian Roth bdbb156090 fix: FPs noticed with Aurora 2022-01-08 15:12:17 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 1653f30953 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-22 19:00:35 +01:00
Florian Roth c4fa0c22ad fix: FPs noticed with Aurora 2021-12-22 19:00:32 +01:00