blue-team-tools

Author	SHA1	Message	Date
Tim Shelton	38335b6303	False positive filtering out of behavior by services.exe which is expected	2022-06-30 16:22:42 +00:00
phantinuss	b4bce46c65	fix: technically filter THOR checking for BlueKeep vuln	2022-06-29 17:07:04 +02:00
Tim Shelton	78ff2fb70f	Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating.	2022-06-29 13:32:19 +00:00
Florian Roth	991ff677c3	rule: bitsadmin coverage	2022-06-28 15:34:19 +02:00
$frack113$ frack113	5cebc1ab88	Merge pull request #3158 from redsand/fp_printspooler_timeout False positive when print dll times out when attempting to register	2022-06-22 21:08:40 +02:00
Tim Shelton	ae50b42b2b	False positive when print dll times out when attempting to register	2022-06-22 14:42:07 +00:00
Tim Shelton	6ae85eb557	Adding support for mozilla download via bits	2022-06-21 12:38:06 +00:00
Florian Roth	10e39e41f7	Merge pull request #3143 from SigmaHQ/rule-devel Rule level refactoring: critical > high	2022-06-19 15:04:46 +02:00
$frack113$ frack113	55f1f6dd1e	Fix ServiceName	2022-06-19 11:59:48 +02:00
Florian Roth	f728893364	refactor: rule level adjustments - critical to high	2022-06-18 17:43:22 +02:00
Florian Roth	db55be82b6	refactor: rule adjustments based on hayabusa https://github.com/Yamato-Security/hayabusa-rules/blob/deb6026fcf452600829c52852f6283d2c808bc69/config/noisy_rules.txt	2022-06-18 08:39:02 +02:00
Florian Roth	49f37684dc	fix: FPs with BITS rule	2022-06-12 17:30:17 +02:00
Florian Roth	ed2ab816be	refactor: BITS rules new and reworked	2022-06-10 13:16:40 +02:00
$frack113$ frack113	8de0027ca3	refactor condition	2022-06-03 15:35:24 +02:00
Florian Roth	bea6f18d35	Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared Making a derived detection for system/application/security event logs…	2022-05-20 20:56:00 +02:00
Tim Shelton	600a7cd0e8	Re-adding accidently removed entry	2022-05-19 17:16:39 +00:00
Tim Shelton	60e6a147b4	merging remote change	2022-05-19 16:11:58 +00:00
Tim Shelton	3f6cabcae8	Updating to include match on Channel	2022-05-19 16:08:34 +00:00
David ANDRE	74b9f97b9c	Renamed suspicious in filenames to susp	2022-05-19 09:37:04 +02:00
Florian Roth	003e5bee6d	Merge pull request #3018 from SigmaHQ/rule-devel refactor: rule addition	2022-05-19 07:50:36 +02:00
Florian Roth	28e0e157fe	Update win_system_susp_eventlog_cleared.yml	2022-05-17 21:32:00 +02:00
Tim Shelton	60a38a95ef	removing duplicate keywords entry	2022-05-17 18:54:01 +00:00
Tim Shelton	b5b7adcb9c	Making a derived detection for system/application/security event logs being cleared, vs any in general. fp due to custom applications clearing their eventlog	2022-05-17 18:49:54 +00:00
Tim Shelton	4bafd1317b	User meant to use service vs category. currently no category assignment for "system". We need a unit test to detect new sections here, vs backends. this was untested in the field.	2022-05-16 22:18:35 +00:00
Florian Roth	73706c96ab	fix: missing modified date mod	2022-05-16 17:24:26 +02:00
Tim Shelton	9d4ce6db7d	FP: filter m$ removaltools from %system32%\MRT.exe and reducing level to low from medium. Task removal could possibly even be just informational.	2022-05-16 14:48:01 +00:00
Florian Roth	54d5f3ad67	Merge branch 'master' into rule-devel	2022-05-16 16:05:12 +02:00
Florian Roth	9138730dd6	keylogger keyword extended	2022-05-16 16:03:52 +02:00
$frack113$ frack113	196aa6d83d	move deprecated rules	2022-05-14 09:42:32 +02:00
Florian Roth	9e218149d9	Merge pull request #3008 from SigmaHQ/rule-devel refactor: AV rules, changes, new PW protected ZIP rules	2022-05-12 17:38:11 +02:00
Florian Roth	1b9ce19b2c	fix: several issues	2022-05-12 17:30:30 +02:00
Florian Roth	2cd5a93fb6	refactor: update antivirus rules	2022-05-12 17:19:46 +02:00
Florian Roth	ee3aba2541	Merge pull request #3005 from BlackB0lt/patch-27 Create win_security_krbrelayup_service_installation.yml	2022-05-12 13:01:44 +02:00
Florian Roth	fe312319d3	Update win_security_krbrelayup_service_installation.yml	2022-05-12 13:01:24 +02:00
$frack113$ frack113	69b4bd551c	Merge pull request #3004 from redsand/fp_dnsZoneScope filtering out dnsZoneScope	2022-05-12 06:56:50 +02:00
Sittikorn S	800669d90c	Update win_security_krbrelayup_service_installation.yml	2022-05-11 18:59:37 +07:00
Sittikorn S	df8c6c118f	Create win_security_krbrelayup_service_installation.yml Detects service creation from KrbRelayUp tool	2022-05-11 18:59:14 +07:00
Tim Shelton	d072472b25	filtering out dnsZoneScope	2022-05-10 21:29:05 +00:00
phantinuss	112b715dd6	chore: test rules: reactivate single value list check	2022-05-10 17:13:04 +02:00
Florian Roth	4e7ceae0e1	rule: added another keyword	2022-05-09 18:33:34 +02:00
Florian Roth	ec4beca37b	Merge branch 'master' into rule-devel	2022-05-09 18:03:29 +02:00
Florian Roth	9d87716dfb	rule: encrypted ZIP files	2022-05-09 18:03:16 +02:00
Florian Roth	cc68a89ad0	refactor: moved rule	2022-05-09 18:02:36 +02:00
phantinuss	b991a5be52	chore: test rules: warn on errors or invalid FP reasons also adapted the existing rules to pass the tests	2022-05-09 16:07:55 +02:00
phantinuss	dbd68bf3f0	chore: test rules: capitalization on FP list entries Entires to the false positive list should begin with a capital letter. e.g. Unkown instead of unkown. Fixed the existing rules accordingly	2022-05-09 16:07:44 +02:00
Tobias Michalski	b1c395d65c	fix: Rule Creating way too many FPs to be high	2022-05-06 15:56:08 +02:00
Florian Roth	73c6bea167	Merge pull request #2979 from SigmaHQ/rule-devel rules: more suspicious service registrations	2022-05-05 18:57:08 +02:00
Tim Shelton	6156a5653b	Removing FP of dnsNode updates. Not related to account access	2022-05-05 16:45:01 +00:00
Florian Roth	17a1a035c5	doc: change titles to avoid duplicates	2022-05-04 11:30:30 +02:00
Florian Roth	5a619f5bab	Merge pull request #2977 from phantinuss/master fix: FPs in prod environment	2022-05-02 16:51:38 +02:00

1 2 3 4 5 ...

1124 Commits