security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

119 Commits

Author SHA1 Message Date
Florian Roth c4021267ec Merge pull request #3193 from SigmaHQ/rule-devel 
Multiple changes, new rule, some docs
 2022-07-03 16:30:36 +02:00
Florian Roth 881890177b rule: suspicious network connections no cmdline 2022-07-03 15:58:54 +02:00
Florian Roth b4751520c5 refactor: more domains 2022-07-03 15:58:36 +02:00
Tim Shelton f20e196909 Comparison conflict found between selection and filtere. In favor of selection 2022-06-27 21:03:36 +00:00
phantinuss 9475153292 fix: FPs found in testing environment 2022-06-20 16:17:54 +02:00
Florian Roth 50b2fad091 Merge branch 'master' into aurora-false-positive-fixing 2022-06-20 13:43:36 +02:00
Florian Roth ccd6fc5a7b fix: FPs 2022-06-20 13:04:49 +02:00
Florian Roth 72de90d2aa fix: FPs 2022-06-20 12:52:23 +02:00
Tim Shelton 80ee980b1d False positive from SentinelOne Ranger Agent 2022-06-19 14:31:10 +00:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 32169dbc33 chore: harmonization of generic 'nt system' user checks 
also a simple (non-commprehensive) test case to find
usages of localized user names
 2022-05-27 15:16:31 +02:00
Tim Shelton b1cbac0ae3 Adjusting condition 2022-05-26 18:39:22 +00:00
Tim Shelton 8ac66efd73 updating modified 2022-05-26 18:17:40 +00:00
Tim Shelton 13d68d9671 False positive on IBM Client Solutions 2022-05-26 18:16:55 +00:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth e76322ff5a Merge pull request #2976 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-05-02 16:38:01 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
Florian Roth 96628bf7c0 Merge pull request #2960 from elhoim/mobsync_network2 
New rule for suspicious network connections from Microsoft Sync Center
 2022-04-29 13:25:56 +02:00
Florian Roth a157d5d949 rule: RDP to 80/tcp or 443/tcp 2022-04-29 12:03:07 +02:00
Florian Roth e322866c71 fix: indentation 2022-04-29 08:42:51 +02:00
David André 73b5f4412a Changed reference from default to correct URL 2022-04-28 14:45:31 +02:00
David ANDRE 55b23c4477 Added rule for suspicious (non-private IPs) network connections from mobsync 2022-04-28 14:21:39 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Florian Roth d9fbdd4a56 fix: missing filter 2022-04-21 07:54:58 +02:00
Florian Roth 50ca09c6a4 Merge branch 'master' into rule-devel 2022-04-20 17:54:11 +02:00
Florian Roth 25ecef1748 rule: dropbox api use 2022-04-20 17:54:01 +02:00
Max Altgelt e6dbb6ba00 feat: Add rule for equation editor network connections 2022-04-14 10:50:10 +02:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 9cc77ce817 Merge branch 'master' into aurora-false-positive-fixing 2022-03-07 15:40:42 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 57271c3c00 fix: bugs in rules 2022-02-16 17:26:57 +01:00
Florian Roth 51bbe21c70 fix: more Aurora FP fixes 2022-02-16 17:16:50 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
Florian Roth 4b09e643c2 fix: condition in malware back connect rule 2022-02-02 13:48:56 +01:00
frack113 90334e7f7c Redcannary windows test 2022-01-23 11:37:01 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 12f0d6dfab Windows Redcannary 2022-01-16 14:47:56 +01:00
frack113 af99c75785 Windows Redcannary 2022-01-08 09:17:56 +01:00
Tim Shelton e596dab472 Allows PasswordState to initiate rdp connections, per feature "Passwordstate Remote Session Launcher" https://www.clickstudios.com.au/downloads/version9/Passwordstate_Remote_Session_Launcher_Gateway_Install_Guide.pdf 2021-12-29 14:27:22 +00:00
Florian Roth f37603ab60 fix: filter FPs with Microsoft cloud 2021-12-27 19:47:32 +01:00
Florian Roth d88f6b2208 Merge pull request #2459 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-16 20:34:30 +01:00
Florian Roth 84e5d60bbc fix: FPs noticed with Aurora 2021-12-16 19:54:22 +01:00
frack113 904fb9181e Add windows t1046 rules 2021-12-10 16:31:16 +01:00
Florian Roth 50ddc5f3ab style: new best practice filter condition 2021-12-07 20:58:03 +01:00