security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

84 Commits

Author SHA1 Message Date
Tim Shelton 38335b6303 False positive filtering out of behavior by services.exe which is expected 2022-06-30 16:22:42 +00:00
phantinuss b4bce46c65 fix: technically filter THOR checking for BlueKeep vuln 2022-06-29 17:07:04 +02:00
Tim Shelton 78ff2fb70f Reducing the level of this item. This behavior happens too often in a normal enviornment, with day to day activity and no definitive threat. I believe a different rule, detecting a larger volume of this behavior would warrant a high level rating. 2022-06-29 13:32:19 +00:00
Florian Roth 10e39e41f7 Merge pull request #3143 from SigmaHQ/rule-devel 
Rule level refactoring: critical > high
 2022-06-19 15:04:46 +02:00
frack113 55f1f6dd1e Fix ServiceName 2022-06-19 11:59:48 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Florian Roth db55be82b6 refactor: rule adjustments based on hayabusa 
https://github.com/Yamato-Security/hayabusa-rules/blob/deb6026fcf452600829c52852f6283d2c808bc69/config/noisy_rules.txt
 2022-06-18 08:39:02 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Tim Shelton 9d4ce6db7d FP: filter m$ removaltools from %system32%\MRT.exe and reducing level to low from medium. Task removal could possibly even be just informational. 2022-05-16 14:48:01 +00:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
Florian Roth 9e218149d9 Merge pull request #3008 from SigmaHQ/rule-devel 
refactor: AV rules, changes, new PW protected ZIP rules
 2022-05-12 17:38:11 +02:00
Florian Roth 1b9ce19b2c fix: several issues 2022-05-12 17:30:30 +02:00
frack113 69b4bd551c Merge pull request #3004 from redsand/fp_dnsZoneScope 
filtering out dnsZoneScope
 2022-05-12 06:56:50 +02:00
Tim Shelton d072472b25 filtering out dnsZoneScope 2022-05-10 21:29:05 +00:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
Florian Roth 4e7ceae0e1 rule: added another keyword 2022-05-09 18:33:34 +02:00
Florian Roth ec4beca37b Merge branch 'master' into rule-devel 2022-05-09 18:03:29 +02:00
Florian Roth 9d87716dfb rule: encrypted ZIP files 2022-05-09 18:03:16 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tim Shelton 6156a5653b Removing FP of dnsNode updates. Not related to account access 2022-05-05 16:45:01 +00:00
phantinuss 06725ecfcb fix: FPs found at prod environment 2022-04-29 15:07:58 +02:00
Florian Roth c62e6b572c fix: modified date 2022-04-28 20:41:13 +02:00
Florian Roth 9b480e360c fix: FPs noticed with Aurora 2022-04-28 20:40:19 +02:00
Florian Roth 84935bbcc6 refactor: tightened krbrelayup rule 2022-04-27 11:54:51 +02:00
Florian Roth 5f95b88a52 Revert "refactor: field IpAddress in ID 4624/4625 refactoring" 
This reverts commit a6e7866faa.
 2022-04-27 10:54:41 +02:00
Florian Roth 182c81af5a Create win_susp_krbrelayup.yml 2022-04-27 10:54:33 +02:00
Florian Roth a6e7866faa refactor: field IpAddress in ID 4624/4625 refactoring 2022-04-27 10:02:01 +02:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
Florian Roth 7b8ead3f9c Merge branch 'master' into aurora-false-positive-fixing 2022-03-20 17:59:58 +01:00
Florian Roth b3d19126c7 docs: add FP conditions 2022-03-20 16:21:35 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
frack113 5938569d3e Refactor regex 2022-03-08 19:07:37 +01:00
frack113 793bf99c85 refactor regex 2022-03-06 20:15:32 +01:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00