security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

6187 Commits

Author SHA1 Message Date
Florian Roth 12f7c58274 fix: FPs noticed with Aurora 2022-02-12 00:40:10 +01:00
Florian Roth 626b5a0488 Merge branch 'master' into aurora-false-positive-fixing 2022-02-12 00:36:33 +01:00
frack113 4e0b3d719a add win_pc_susp_run_folder 2022-02-11 21:37:11 +01:00
Florian Roth a7e4ef4442 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-11 20:21:37 +01:00
Florian Roth 85b25bf17e fix: FP noticed with Aurora 
VSCode installer uses .tmp extension
 2022-02-11 20:21:35 +01:00
Florian Roth 7e46d382f0 Merge pull request #2687 from nasbench/master 
Update win_susp_proc_access_lsass.yml
 2022-02-11 18:06:55 +01:00
Florian Roth c441852e5d Merge pull request #2688 from phantinuss/checkbaseline 
Fix FPs (Example Installation 3)
 2022-02-11 18:06:37 +01:00
Florian Roth 891475dccb Merge pull request #2684 from SigmaHQ/rule-devel 
rules: SAM dump, suspicious program names, iso/img mount
 2022-02-11 18:06:20 +01:00
Tim Shelton 6d27058ce0 updating, with suggestions 2022-02-11 16:12:43 +00:00
phantinuss 646ce36809 fix: use doublequotes instead of ' because of ' in string 2022-02-11 16:52:45 +01:00
phantinuss 809f7abbb8 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3 2022-02-11 16:38:52 +01:00
Nasreddine Bencherchali d0b68c4483 Update win_susp_proc_access_lsass.yml 2022-02-11 14:20:42 +01:00
Florian Roth a72e432389 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2022-02-11 14:15:54 +01:00
Florian Roth 0476b8693d refactor: extended .iso rule 2022-02-11 14:15:51 +01:00
Florian Roth 635a5c7d41 fix: wrong condition 2022-02-11 12:47:34 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00
Florian Roth 3fa2d13e10 rule: iso / img file mount 2022-02-11 12:37:35 +01:00
Florian Roth 8e255bfdaf refactor: sam hive dump filename rule 2022-02-11 12:16:40 +01:00
Florian Roth 1bf00333f7 fix: exclude empty OriginalName fields 2022-02-11 12:01:02 +01:00
Florian Roth 36b0a13e0f fix: better way to filter these events 2022-02-11 12:00:08 +01:00
Florian Roth 55a2fdd1c3 fix: FP noticed with Aurora 2022-02-11 11:58:30 +01:00
Florian Roth e6989f9efb rules: samdumps, suspicious program names 2022-02-11 11:58:02 +01:00
frack113 6a69a06ea9 Merge pull request #2681 from johnpaulglab/patch-1 
Update win_pc_msiexec_install_quiet.yml
 2022-02-11 06:35:18 +01:00
johnpaulglab a8f8f88c34 Update win_pc_msiexec_execute_dll.yml 
Spelling error
 2022-02-10 14:41:22 -06:00
johnpaulglab 89e98db927 Update win_pc_msiexec_install_quiet.yml 
Spelling error
 2022-02-10 14:38:51 -06:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 47d9595123 Merge pull request #2677 from SigmaHQ/rule-devel 
refactor and new: lsass process dumping rules
 2022-02-10 15:51:19 +01:00
Florian Roth 5ab21fdd0a docs: wording 2022-02-10 12:49:23 +01:00
Florian Roth 3c7c348b89 refactor: extended rules and made them more exact 2022-02-10 12:46:24 +01:00
Tobias Michalski 6af5d4b6f5 fix: False Positive fix 
Empty field CurrentDirectory should be "or"-ed
 2022-02-10 12:15:18 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
Tim Shelton 330450cae6 fixing error 2022-02-10 00:01:55 +00:00
Tim Shelton bc40160444 fixing more yaml lint complaints 2022-02-10 00:00:03 +00:00
Tim Shelton a72f843081 i think the yaml is angry 2022-02-09 23:50:07 +00:00
Tim Shelton 2ce7d60729 splitting up filters 2022-02-09 23:46:07 +00:00
Florian Roth 11af922740 Update win_file_permission_modifications.yml 2022-02-09 23:17:32 +01:00
Florian Roth 0dc9234176 Merge pull request #2675 from redsand/fp_win_apt_bluemashroom 
Adds false positive filter to win apt bluemashroom
 2022-02-09 23:11:55 +01:00
Tim Shelton ae2c0f0a7f fixing test 2022-02-09 21:26:43 +00:00
Tim Shelton d48b6beaf5 Filtering fp of dynatrace behavior 2022-02-09 20:24:59 +00:00
Tim Shelton 531f9a61f1 Adds false positive filter to win apt bluemashroom and process for adding additional filters in the future 2022-02-09 20:11:45 +00:00
Florian Roth 2a816c53d7 Merge pull request #2674 from SigmaHQ/aurora-false-positive-fixing 
fix: extended rule due to high number of fps
 2022-02-09 20:48:07 +01:00
Florian Roth dc38a01a21 Merge pull request #2673 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Microsoft Defender LSASS ASR events
 2022-02-09 19:09:37 +01:00
Florian Roth 9996ba3549 fix: extended rule due to high number of fps 2022-02-09 19:09:14 +01:00
Florian Roth 3b67b44b82 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-09 18:18:59 +01:00
Florian Roth 2bbf6089ed fix: FPs, wrong modifier 2022-02-09 18:18:57 +01:00
Florian Roth 42ecaf2254 Merge branch 'master' into aurora-false-positive-fixing 2022-02-09 17:59:16 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
phantinuss 0a5f2a020a fix: filter events with empty sysmon field 2022-02-09 17:47:22 +01:00
Florian Roth 0d3c7aafe8 fix: FPs with Microsoft Defender LSASS ASR events 2022-02-09 17:24:29 +01:00