security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,766 Commits 1 Branch 57 Tags
f0253eb67dee09ca38ef809e51eaeb0ffecd96e2
Commit Graph

1049 Commits

Author SHA1 Message Date
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
Florian Roth eab098e9f8 Merge pull request #2885 from secDre4mer/master 
Add couple of new rules
 2022-04-07 19:00:52 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
Max Altgelt 47c685553d feat: Generate low sigma match for new credential logon 2022-04-07 10:50:50 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
phantinuss c2c3fff071 fix: typo in description 2022-04-06 16:09:53 +02:00
Florian Roth 0b4bfad074 Merge branch 'master' into aurora-false-positive-fixing 2022-03-29 21:06:30 +02:00
Florian Roth 658f4c48ee refactor: less relevant FW event 2022-03-28 17:06:00 +02:00
Florian Roth 37437c7f3d Update win_susp_service_installation_script.yml 2022-03-24 21:22:26 +01:00
Florian Roth 76710a1d86 Update win_susp_service_installation.yml 2022-03-24 21:19:36 +01:00
Drasti Mehta ae4c01142e add modified and date 2022-03-24 15:57:47 -04:00
Drasti Mehta 77f5a6f4d8 Fix win_susp_service_ rules causing sigmac error 2022-03-24 15:24:01 -04:00
Florian Roth 8b7eaae6ec fix: ServiceFileName in 7045 events 2022-03-22 14:41:25 +01:00
Florian Roth b4245c561c Merge pull request #2836 from SigmaHQ/rule-devel 
fix: Service Installation 7045 field confusion
 2022-03-21 11:18:29 +01:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
Paul Hager 1fb583b225 fix: FP fix 2022-03-11 11:46:25 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
frack113 f9c0e21323 Refactor regex 2022-03-07 19:08:30 +01:00
frack113 5d4035ea05 Fix contains 2022-03-06 20:50:19 +01:00
frack113 67189b6e51 refactor regex 2022-03-06 20:40:21 +01:00
frack113 793bf99c85 refactor regex 2022-03-06 20:15:32 +01:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
phantinuss 952fb07d59 fix: remove Aurora filter out, no longer needed 2022-03-02 11:14:01 +01:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth b1ec01c289 fix: TiWorker.exe FW change 2022-02-22 13:58:21 +01:00
Florian Roth 70220eaced fix: last FPs 2022-02-22 13:53:28 +01:00
Florian Roth 679461082c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-22 13:43:59 +01:00
Florian Roth b983330310 fix: more fixes 2022-02-22 13:42:39 +01:00
Florian Roth 7a2216c7be Merge branch 'master' into aurora-false-positive-fixing 2022-02-22 13:37:58 +01:00
Florian Roth cc9a5b4b07 fix: FPs with new rules 2022-02-22 13:32:34 +01:00
frack113 af987fb1a0 Set to low as too many FP 2022-02-22 09:38:10 +01:00
Florian Roth 118e28dbb6 Merge pull request #2708 from frack113/firewall_as 
Add firewall-as basic rules
 2022-02-22 08:54:00 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00