security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

67 Commits

Author SHA1 Message Date
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Florian Roth bea6f18d35 Merge pull request #3024 from redsand/win_system_susp_eventlog_cleared 
Making a derived detection for system/application/security event logs…
 2022-05-20 20:56:00 +02:00
Tim Shelton 600a7cd0e8 Re-adding accidently removed entry 2022-05-19 17:16:39 +00:00
Tim Shelton 60e6a147b4 merging remote change 2022-05-19 16:11:58 +00:00
Tim Shelton 3f6cabcae8 Updating to include match on Channel 2022-05-19 16:08:34 +00:00
Florian Roth 28e0e157fe Update win_system_susp_eventlog_cleared.yml 2022-05-17 21:32:00 +02:00
Tim Shelton 60a38a95ef removing duplicate keywords entry 2022-05-17 18:54:01 +00:00
Tim Shelton b5b7adcb9c Making a derived detection for system/application/security event logs being cleared, vs any in general. fp due to custom applications clearing their eventlog 2022-05-17 18:49:54 +00:00
Tim Shelton 4bafd1317b User meant to use service vs category. currently no category assignment for "system". We need a unit test to detect new sections here, vs backends. this was untested in the field. 2022-05-16 22:18:35 +00:00
Florian Roth ee3aba2541 Merge pull request #3005 from BlackB0lt/patch-27 
Create win_security_krbrelayup_service_installation.yml
 2022-05-12 13:01:44 +02:00
Florian Roth fe312319d3 Update win_security_krbrelayup_service_installation.yml 2022-05-12 13:01:24 +02:00
Sittikorn S 800669d90c Update win_security_krbrelayup_service_installation.yml 2022-05-11 18:59:37 +07:00
Sittikorn S df8c6c118f Create win_security_krbrelayup_service_installation.yml 
Detects service creation from KrbRelayUp tool
 2022-05-11 18:59:14 +07:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth 17a1a035c5 doc: change titles to avoid duplicates 2022-05-04 11:30:30 +02:00
Florian Roth 5a619f5bab Merge pull request #2977 from phantinuss/master 
fix: FPs in prod environment
 2022-05-02 16:51:38 +02:00
phantinuss 97de80a9e1 fix: FPs in prod environment 2022-05-02 16:44:15 +02:00
Florian Roth b19c3e154c fix: FPs with new NTLMv1 rule 2022-05-02 16:32:18 +02:00
Florian Roth 1254fbd8d0 Merge pull request #2948 from redsand/sysmon_crash 
Sysmon crash
 2022-04-27 10:44:49 +02:00
Florian Roth f5c39d5cd2 Update win_lsasrv_ntlmv1.yml 2022-04-27 09:40:56 +02:00
Florian Roth 3c21c8ab00 Update win_system_application_sysmon_crash.yml 2022-04-27 09:39:56 +02:00
Tim Shelton 613d49bd56 Detect sysmon crash 2022-04-26 19:27:47 +00:00
Tim Shelton 12ac0f7de1 updating level 2022-04-26 18:41:58 +00:00
Tim Shelton 62b0b2fcf7 Detect the presence of ntlm1 in use on boot or 1st time 2022-04-26 18:38:57 +00:00
Florian Roth 1724c6378c Merge pull request #2945 from SigmaHQ/rule-devel 
Refactoring and KrbRelayUp rule
 2022-04-26 16:55:30 +02:00
Florian Roth cd069c2cbe Merge branch 'master' into rule-devel 2022-04-26 15:34:33 +02:00
Florian Roth f0253eb67d some fixes and refactoring 2022-04-26 15:32:56 +02:00
Hendrik Baecker d0bc498d9b String 2 Int for EventIDs 2022-04-26 15:12:42 +02:00
frack113 468e51af3b Add a ref 2022-04-23 10:05:27 +02:00
Florian Roth d3ddefe096 refactor: proposed changes from issue #2917 
https://github.com/SigmaHQ/sigma/issues/2917
 2022-04-14 16:57:30 +02:00
Florian Roth 37437c7f3d Update win_susp_service_installation_script.yml 2022-03-24 21:22:26 +01:00
Florian Roth 76710a1d86 Update win_susp_service_installation.yml 2022-03-24 21:19:36 +01:00
Drasti Mehta ae4c01142e add modified and date 2022-03-24 15:57:47 -04:00
Drasti Mehta 77f5a6f4d8 Fix win_susp_service_ rules causing sigmac error 2022-03-24 15:24:01 -04:00
Florian Roth 8b7eaae6ec fix: ServiceFileName in 7045 events 2022-03-22 14:41:25 +01:00
Florian Roth b4245c561c Merge pull request #2836 from SigmaHQ/rule-devel 
fix: Service Installation 7045 field confusion
 2022-03-21 11:18:29 +01:00
Florian Roth ce4cdf06f0 fix: Service Installation 7045 field confusion 2022-03-21 11:10:03 +01:00
Paul Hager 68659cf5fd new susp service installation rules 2022-03-18 16:08:40 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 f9c0e21323 Refactor regex 2022-03-07 19:08:30 +01:00
frack113 5d4035ea05 Fix contains 2022-03-06 20:50:19 +01:00
frack113 67189b6e51 refactor regex 2022-03-06 20:40:21 +01:00
frack113 793bf99c85 refactor regex 2022-03-06 20:15:32 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 46f094d6f9 Merge pull request #2635 from SigmaHQ/rule-devel 
refactor: avoid regex use
 2022-02-03 21:56:58 +01:00