security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Tim Shelton 1ebd75754f omgosh fix err in syntax on this.... sooo sorry! 2021-12-01 21:15:41 +00:00
Tim Shelton d90ddc097e adding additional filter for lsass: ShareName=\\*\IPC$ | ShareLocalPath= | RelativeTargetName=lsass | AccessMask=0x2019f 2021-12-01 18:36:38 +00:00
Tim Shelton 7626b73b8e Duplicate matching causes confusion. Converting to simplified selection (matching) and false positive (filtering) phases 2021-12-01 18:33:48 +00:00
Tim Shelton 86250b4acb fixing lint err 2021-12-01 18:15:39 +00:00
Tim Shelton 3aca9ad2ef fixing false positive due to direct calls to xcopy and cmd.exe 2021-12-01 18:01:36 +00:00
Tim Shelton 1e97156684 Fixing conflict where both selection and filter have the same value. 2021-12-01 17:29:00 +00:00
frack113 30a5838514 Merge pull request #2359 from phantinuss/master 
Add dll+exe files to rule because of CVE-2020-1599
 2021-12-01 16:46:04 +01:00
Tim Shelton 677bdd9768 oof, adding to selection and not filter 2021-12-01 15:37:11 +00:00
Tim Shelton 96295a717c Adding filter for read only accesslist, attack cannot be triggered 2021-12-01 15:35:51 +00:00
frack113 04d90ee007 Merge pull request #2350 from redsand/fp_format_list 
Filtering false positives of static arguments to wmic /format
 2021-12-01 16:29:47 +01:00
phantinuss 204c627991 add PE files because of CVE-2020-1599 2021-12-01 15:14:43 +01:00
phantinuss 1150e07121 fix: typo 2021-12-01 15:14:43 +01:00
Florian Roth 0903b667c1 Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-12-01 15:10:50 +01:00
Florian Roth f75ffb6141 Merge pull request #2358 from SigmaHQ/rule-devel 
rules: addition to APT UserAgents, new: NPPSpy Hacktool Usage
 2021-12-01 15:10:17 +01:00
Florian Roth 7fad4768e4 rule: APT UA - new user agent 2021-12-01 14:20:05 +01:00
Florian Roth 6b7206ca2a fix: print driver FP 2021-12-01 14:14:53 +01:00
Florian Roth 5a01a88af1 fix: FPs with FileStream events 2021-12-01 14:10:56 +01:00
Florian Roth 4a136fdce6 simplified condition 2021-12-01 14:06:09 +01:00
Florian Roth f2199eacad fix: FPs noticed with Aurora 2021-12-01 13:39:53 +01:00
frack113 b71c2d7a07 Merge pull request #2355 from mgreen27/master 
Update win_renamed_binary.yml
 2021-12-01 08:12:08 +01:00
frack113 80a1b02fe5 Update win_renamed_binary.yml 2021-12-01 06:54:30 +01:00
frack113 25e9a6d13c Merge pull request #2352 from frack113/provider_name 
Add Provider Name to system and security channel
 2021-12-01 06:53:30 +01:00
Matthew Green 0384f8fb52 Update win_renamed_binary.yml 2021-12-01 15:07:06 +11:00
Florian Roth 6d155ad2ce fix: simplified and extended rule 2021-11-30 20:12:07 +01:00
Florian Roth 149f2d509a Merge pull request #2354 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2021-11-30 20:07:09 +01:00
Florian Roth 9b235f6873 fix: Granted Access 0x410 in different rules 2021-11-30 19:20:37 +01:00
Florian Roth e89646a696 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-11-30 19:15:20 +01:00
Florian Roth 112c3522d8 fix: FPs noticed with Aurora 2021-11-30 19:14:49 +01:00
Tim Shelton fa26f5f7f5 simplifying format 2021-11-30 14:21:38 +00:00
frack113 24d73a5f8a Add definition info 2021-11-30 15:10:36 +01:00
frack113 5c1b3f8362 Add Provider_Name 2021-11-30 15:03:53 +01:00
Florian Roth a4a2654050 Merge pull request #2349 from redsand/fix_xor_false_positive 
adding false positive filter for amazon ssm-document-worker
 2021-11-30 14:11:34 +01:00
frack113 03e549e335 Fix FP Kaspersky Security Center Web Console 2021-11-30 10:36:12 +01:00
frack113 e54bd6b03c Fix TrendMicro OSCE FP 2021-11-30 10:16:35 +01:00
Tim Shelton 14f11c905d adding additional entries that are static 2021-11-29 23:02:48 +00:00
Tim Shelton 44f791680f adding filter for FP /Format:List which is a specific format 2021-11-29 22:57:26 +00:00
Florian Roth 20b5c0bb5d Merge pull request #2347 from redsand/sysmon_logon_scripts_userinitmprlogonscript_proc 
Sysmon logon scripts userinitmprlogonscript proc
 2021-11-29 23:25:16 +01:00
Florian Roth 2da59406b7 Merge pull request #2344 from frack113/dfir_20211129 
add win_pc_susp_regsvr32_image
 2021-11-29 23:24:45 +01:00
Tim Shelton 0c283ab767 adding false positive filter for amazon ssm-document-worker 2021-11-29 21:51:19 +00:00
Florian Roth ca77ec42cc Merge pull request #2346 from redsand/fp_powershell_malicious_commandlets 
adding amazon ec2 to list of false positives for powershell cmdlet detection
 2021-11-29 22:33:39 +01:00
Tim Shelton 422a579aca Merge branch 'sysmon_logon_scripts_userinitmprlogonscript_proc' of https://github.com/redsand/sigma into sysmon_logon_scripts_userinitmprlogonscript_proc 2021-11-29 19:59:38 +00:00
Tim Shelton c20a6daa73 adding wildcard to netlogon to be a bit more inclusive. 2021-11-29 19:59:26 +00:00
Tim Shelton 48a45b06eb fixing format 2021-11-29 19:23:31 +00:00
Tim Shelton f0c6dbdc84 adding amazon ec2 to list of false positives 2021-11-29 19:20:00 +00:00
Florian Roth 9209051f94 fix: FPs noticed with Aurora 2021-11-29 18:25:34 +01:00
Florian Roth b8985a222f fix: FPs noticed with Aurora 2021-11-29 16:13:24 +01:00
frack113 09712e7388 add win_pc_susp_regsvr32_image 2021-11-29 16:05:53 +01:00
Florian Roth 97d2ce0297 NPPSpy file creation rule 2021-11-29 16:03:03 +01:00
Florian Roth 4d7fd953a5 revert change to filters in dbghelp/dbgcore rule 2021-11-29 15:47:50 +01:00
Florian Roth dcf9d8c828 fix: FPs noticed with Aurora 2021-11-29 15:38:43 +01:00