security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,629 Commits 1 Branch 57 Tags
f2cc5c8ce7ddeb6727e0c76f3364735dfd6dfdce
Commit Graph

60 Commits

Author SHA1 Message Date
frack113 c64ece9f68 More generic 2022-06-29 19:33:50 +02:00
phantinuss ab5d2ed711 fix: FPs in testing environment 2022-06-27 08:47:27 +02:00
frack113 281a7c8149 Add missing EventType 2022-06-26 17:41:23 +02:00
Florian Roth 567d8e4e24 Merge pull request #3146 from frack113/redcanary_20220619 
Add registry_set_timeproviders_dllname
 2022-06-22 10:26:15 +02:00
Florian Roth aee4ebb01a Update registry_set_timeproviders_dllname.yml 2022-06-21 16:32:21 +02:00
frack113 2219910c43 Add registry_set_timeproviders_dllname 2022-06-19 11:20:35 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
securepeacock aa01c73f72 Update registry_set_enabling_turnoffcheck.yml 2022-06-15 11:49:38 -04:00
securepeacock bd6f9936a5 Rename registry_set_enabling_turn_off_check.yml to registry_set_enabling_turnoffcheck.yml 2022-06-15 11:07:55 -04:00
securepeacock 35c6084ef7 Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:55:15 -04:00
securepeacock 1f279f633a Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:54:23 -04:00
securepeacock cfabbc4bdf Update registry_set_enabling_turn_off_check.yml 2022-06-15 10:51:15 -04:00
securepeacock c0f01c84b3 Create registry_set_enabling_turn_off_check.yml 2022-06-15 10:49:19 -04:00
Florian Roth 2a4e6d8ebe Merge pull request #3123 from phantinuss/master 
fix FP and add Follina reference to description
 2022-06-13 22:54:54 +02:00
phantinuss d382f91313 fix: FP with AVG anti virus 2022-06-13 13:30:21 +02:00
Nasreddine Bencherchali ffd135c6b6 Renamed LOLBIN rules + Other 2022-06-12 23:59:25 +01:00
CD-R0M 335e97247e Update registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:40:04 -04:00
CD-R0M e89811fa47 Merge branch 'master' of https://github.com/CD-R0M/sigma-1 2022-06-11 10:29:54 -04:00
CD-R0M 2a2c15a407 Create registry_set_custom_file_open_handler_powershell_execution.yml 2022-06-11 10:29:46 -04:00
Florian Roth 69ff1837f4 Merge pull request #3064 from BlackB0lt/patch-28 
Create registry_set_cve_2022_30190_msdt_follina.yml
 2022-06-07 10:47:12 +02:00
Florian Roth 7bd4d68580 Merge branch 'master' into aurora-false-positive-fixing 2022-06-04 12:52:14 +02:00
Florian Roth 6d9587dab2 fix: Aurora FPs / NVidia driver update 2022-06-04 12:44:51 +02:00
Nasreddine Bencherchali 16585591fd Update registry_set_disable_fonction_user.yml 2022-06-03 21:58:28 +01:00
Nasreddine Bencherchali 36e5400b39 Rules Update 
- Updated "proc_creation_win_susp_wmic_security_product_uninstall" with more AV and CLI variants.
- Updated "egistry_set_disable_fonction_user" with more interesting registry locations
 2022-06-03 20:29:59 +01:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
Sittikorn S cdc93494a5 Create registry_set_cve_2022_30190_msdt_follina.yml 
Detect set registry about ms-msdt MSProtocol URI scheme
 2022-05-31 12:07:37 +07:00
phantinuss 87ce5e3fe7 Update registry_set_lolbas_onedrivestandaloneupdater.yml 2022-05-30 08:40:29 +02:00
frack113 5b2ab692dc Lolbas rule 2022-05-28 16:54:45 +02:00
phantinuss 61c10d73e0 fix: FP found in testing environment 2022-05-23 16:45:27 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
Florian Roth 93caa59248 fix: lowercase false positive 2022-05-12 21:56:46 +02:00
Florian Roth 8692140b26 Merge pull request #2982 from jstnk9/master 
Create registry_set_scr_file_executed_by_rundll32.yml
 2022-05-12 17:40:24 +02:00
Florian Roth 9e218149d9 Merge pull request #3008 from SigmaHQ/rule-devel 
refactor: AV rules, changes, new PW protected ZIP rules
 2022-05-12 17:38:11 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
jstnk9 cf975127b6 title modified 2022-05-10 11:41:19 +02:00
Florian Roth 8b798fbf21 refactor: tightened task scheduler rule 2022-05-09 18:03:02 +02:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
jstnk9 1c5ba05eb3 Update registry_set_scr_file_executed_by_rundll32.yml 2022-05-09 10:44:55 +02:00
jstnk9 111b4f7623 added filter 2022-05-06 10:31:40 +02:00
Florian Roth a5d0e63716 fix: FPs with Zoom 2022-05-05 07:54:16 +02:00
jstnk9 d632b9438a Update registry_set_scr_file_executed_by_rundll32.yml 2022-05-04 16:13:36 +02:00
jstnk9 9f608172ab Create registry_set_scr_file_executed_by_rundll32.yml 2022-05-04 15:29:14 +02:00
Florian Roth 3faac9729d fix: FP with Zoom 2022-05-04 11:33:12 +02:00
Florian Roth 17a1a035c5 doc: change titles to avoid duplicates 2022-05-04 11:30:30 +02:00
Florian Roth a8ab241220 Merge branch 'master' into rule-devel 2022-05-02 20:54:40 +02:00
Florian Roth 34f8b13a55 rule: service binaries in suspicious folders 2022-05-02 20:54:04 +02:00
Florian Roth 9482eb92ec Update registry_set_creation_service_temp_folder.yml 2022-05-02 19:30:43 +02:00