security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
Tobias Michalski 6af5d4b6f5 fix: False Positive fix 
Empty field CurrentDirectory should be "or"-ed
 2022-02-10 12:15:18 +01:00
Florian Roth a05b3e50e5 refactor and new: lsass process dumping rules 2022-02-10 09:17:25 +01:00
frack113 3ea09e9ec6 Update azure_mfa_disabled.yml 2022-02-10 06:40:03 +01:00
frack113 69413c26bb Update microsoft365_new_federated_domain_added.yml 2022-02-10 06:39:02 +01:00
Tim Shelton 330450cae6 fixing error 2022-02-10 00:01:55 +00:00
Tim Shelton bc40160444 fixing more yaml lint complaints 2022-02-10 00:00:03 +00:00
Tim Shelton a72f843081 i think the yaml is angry 2022-02-09 23:50:07 +00:00
Tim Shelton 2ce7d60729 splitting up filters 2022-02-09 23:46:07 +00:00
Florian Roth 11af922740 Update win_file_permission_modifications.yml 2022-02-09 23:17:32 +01:00
Florian Roth 0dc9234176 Merge pull request #2675 from redsand/fp_win_apt_bluemashroom 
Adds false positive filter to win apt bluemashroom
 2022-02-09 23:11:55 +01:00
Tim Shelton ae2c0f0a7f fixing test 2022-02-09 21:26:43 +00:00
Tim Shelton d48b6beaf5 Filtering fp of dynatrace behavior 2022-02-09 20:24:59 +00:00
Tim Shelton 531f9a61f1 Adds false positive filter to win apt bluemashroom and process for adding additional filters in the future 2022-02-09 20:11:45 +00:00
Florian Roth 2a816c53d7 Merge pull request #2674 from SigmaHQ/aurora-false-positive-fixing 
fix: extended rule due to high number of fps
 2022-02-09 20:48:07 +01:00
Florian Roth dc38a01a21 Merge pull request #2673 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs with Microsoft Defender LSASS ASR events
 2022-02-09 19:09:37 +01:00
Florian Roth 9996ba3549 fix: extended rule due to high number of fps 2022-02-09 19:09:14 +01:00
Florian Roth 3b67b44b82 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-09 18:18:59 +01:00
Florian Roth 2bbf6089ed fix: FPs, wrong modifier 2022-02-09 18:18:57 +01:00
Florian Roth 42ecaf2254 Merge branch 'master' into aurora-false-positive-fixing 2022-02-09 17:59:16 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
phantinuss 0a5f2a020a fix: filter events with empty sysmon field 2022-02-09 17:47:22 +01:00
Florian Roth 0d3c7aafe8 fix: FPs with Microsoft Defender LSASS ASR events 2022-02-09 17:24:29 +01:00
Florian Roth 7470a1b8d4 Merge pull request #2671 from frack113/SpoolFool 
Add CVE-2022–22718
 2022-02-09 13:13:15 +01:00
frack113 54c2dcdafb Add CVE-2022–22718 2022-02-09 08:40:04 +01:00
Florian Roth 98249b6916 Merge pull request #2670 from SigmaHQ/aurora-false-positive-fixing 
refactor: reduced level of TeamViewer rule
 2022-02-08 22:05:34 +01:00
Florian Roth 9c7679e319 fix: duplicate date field 2022-02-08 20:41:26 +01:00
Florian Roth d388ce945c refactor: reduced level of TeamViewer rule 2022-02-08 20:40:31 +01:00
Florian Roth ef23efa60f Merge pull request #2668 from SigmaHQ/rule-devel 
rule: suspicious execution from suspicious folders
 2022-02-08 19:14:23 +01:00
Florian Roth 3e0f45d11e rule: suspicious execution from temp folders 2022-02-08 16:15:46 +01:00
Florian Roth 93767430fa Merge pull request #2666 from SigmaHQ/rule-devel 
Network Recon Activity : nslookup _ldap._tcp.dc._msdcs
 2022-02-08 13:30:32 +01:00
Florian Roth fa81384917 Merge pull request #2667 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-08 13:30:21 +01:00
Florian Roth ed06403d04 fix: unneeded list 2022-02-08 12:21:43 +01:00
Feathers 7cb55b1704 Create microsoft365_new_federated_domain_added.yml 2022-02-08 10:31:47 +01:00
Feathers c4ed22aa8f Create azure_mfa_disabled.yml 2022-02-08 10:19:09 +01:00
Florian Roth 9bc8bb5c20 fix: remove old link to removed part of rule 2022-02-08 09:36:31 +01:00
Florian Roth 88ce0ed97d rule: Network Reconnaissance Activity 2022-02-08 09:36:03 +01:00
Florian Roth 047b928ab0 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-08 09:35:12 +01:00
Florian Roth 69fcbc138e fix: FPs noticed with Aurora 2022-02-08 09:34:53 +01:00
Florian Roth 121b28c419 Merge pull request #2660 from redsand/fp_sysmon_creation_system_file_allow_wbengine 
FP from wbengine when writing a system filename
 2022-02-08 09:01:10 +01:00
Florian Roth 07e0d0412e Merge pull request #2662 from nasbench/master 
Update sysmon_raw_disk_access_using_illegitimate_tools.yml
 2022-02-08 09:00:46 +01:00
Florian Roth 7606ab96c8 Merge pull request #2657 from phantinuss/master 
fix: FPs
 2022-02-08 09:00:31 +01:00
Florian Roth c69613696f fix: FP noticed with Aurora 2022-02-07 21:24:21 +01:00
Florian Roth 7e17c2bbd2 Merge pull request #2658 from Karneades/patch-1 
rule: ACTINIUM Scheduled Task Persistence
 2022-02-07 21:20:22 +01:00
Florian Roth 3ca0382671 Merge pull request #2661 from redsand/fp_mimikatz_command_line 
FP mimikatz when loading powershell function Convert-GuidToCompressedGuid
 2022-02-07 21:20:04 +01:00
Nasreddine Bencherchali 7d1e149844 Update sysmon_raw_disk_access_using_illegitimate_tools.yml 2022-02-07 20:51:19 +01:00
Tim Shelton f3ce179f76 fixing false positive when loading the powershell function Convert-GuidToCompressedGuid 2022-02-07 17:10:57 +00:00
Tim Shelton 913aac6695 allow fp from wbengine 2022-02-07 16:58:58 +00:00
Florian Roth aef0bd2a2d Update process_creation_apt_actinium_persistence.yml 2022-02-07 16:15:48 +01:00
Andreas Hunkeler 40411f0596 Fix list issue in new wscript persistence rule 2022-02-07 15:54:42 +01:00
Andreas Hunkeler 0a78c3966b rule: ACTINIUM Scheduled Task Persistence 2022-02-07 15:43:30 +01:00