security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,475 Commits 1 Branch 57 Tags
fbf1b8456cef4e6833f0c0ff92d949d3ce7041ea
Commit Graph

7934 Commits

Author SHA1 Message Date
Florian Roth fbf1b8456c Merge pull request #2825 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with EdgeTransport sub processes
 2022-03-18 11:04:10 +01:00
Florian Roth 2f51f8e1d2 fix: FPs noticed with EdgeTransport sub processes 2022-03-18 10:18:40 +01:00
Florian Roth d0eef19e95 Merge pull request #2822 from SigmaHQ/rule-devel 
Webshell detection rule refactoring
 2022-03-18 08:49:04 +01:00
Florian Roth e754849425 fix: missing space 2022-03-18 08:37:09 +01:00
frack113 41fce11b76 Merge pull request #2820 from frack113/day_off 
Windows Redcannary
 2022-03-18 08:18:18 +01:00
Florian Roth 1118189032 Update posh_ps_susp_get_adgroup.yml 2022-03-17 20:23:14 +01:00
Florian Roth 8c69b3977f Update posh_ps_susp_directory_enum.yml 2022-03-17 20:22:51 +01:00
Florian Roth a5cfb87ee1 Update posh_ps_as_rep_roasting.yml 2022-03-17 20:22:11 +01:00
Florian Roth 59a8a6f952 Merge branch 'master' into rule-devel 2022-03-17 20:16:28 +01:00
Florian Roth c855a38f98 Merge pull request #2819 from frack113/fp_test 
posh_ps_remove_item_path fix registry FP
 2022-03-17 18:44:53 +01:00
Florian Roth 22133aaa07 Merge pull request #2821 from redsand/fp_tasktop_path_traversal 
Adding filter for java  tasktop
 2022-03-17 18:44:16 +01:00
Florian Roth 33617fd8b4 rule: new webshell detection rule 2022-03-17 18:31:11 +01:00
Tim Shelton 026677cf8a fixing spelling error 2022-03-17 17:27:11 +00:00
Florian Roth 8250dd73a2 refactor: webshell detection rules 2022-03-17 18:24:15 +01:00
Tim Shelton a1cb805913 Adding filter for java tasktop 2022-03-17 17:23:06 +00:00
frack113 829409d29a Redcannary 2022-03-17 16:48:41 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
frack113 6da13f19a6 fix registry FP 2022-03-17 14:26:12 +01:00
Florian Roth c4f6fedb46 Merge pull request #2816 from redsand/fp_antivirus_symantec_file_print_driver 
Filtering of symantec submission for analysis
 2022-03-16 22:29:00 +01:00
Tim Shelton c58f3d0351 Filtering of symantec submission for analysis 2022-03-16 19:07:15 +00:00
Florian Roth 1ab03bd9f8 Merge pull request #2815 from SigmaHQ/rule-devel 
rule: remote thread creation, rule: get-addbaccount
 2022-03-16 18:47:03 +01:00
Florian Roth bd8306cd28 Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing 
fix: sadly still too many fps with this rule
 2022-03-16 18:15:23 +01:00
Florian Roth 39811e1405 refactor: uppercase values, DropLoader imphash 2022-03-16 17:56:55 +01:00
Florian Roth 16cac67751 fix: indentation 2022-03-16 15:35:54 +01:00
Florian Roth 426b3a0906 Merge pull request #2796 from d4rk-d4nph3/master 
Added rule for shellcode injection by Metasploit and Empire
 2022-03-16 15:34:03 +01:00
Florian Roth 4445ea6baf fix: sadly still too many fps with this rule 2022-03-16 15:21:27 +01:00
Florian Roth 1099c5630e rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 9b82e099a3 fix: unlikely --> Unlikely 2022-03-16 14:16:10 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth 8acf6431f5 Merge pull request #2809 from SigmaHQ/rule-devel 
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
 2022-03-16 11:25:10 +01:00
Florian Roth 4d2a4b74cd Merge pull request #2808 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-03-16 09:58:21 +01:00
Florian Roth 0e1945beaa refactor: rar usage w password & compression level 2022-03-16 09:57:45 +01:00
Thomas Patzke 125359cfbc Merge pull request #2810 from SigmaHQ/fix 
Fixes
 2022-03-16 07:29:24 +01:00
Thomas Patzke f022b087e0 Fixed date format in rule 2022-03-15 23:31:14 +01:00
Florian Roth c818e00fc2 Merge branch 'master' into aurora-false-positive-fixing 2022-03-15 18:07:13 +01:00
Florian Roth b2cdb92b11 fix: FPs with THOR 2022-03-15 18:05:42 +01:00
Florian Roth a10561e084 ncat pattern 2022-03-15 18:05:13 +01:00
Florian Roth 306bb438e3 CrackMapExec patterns 2022-03-15 18:05:04 +01:00
Paul Hager 87600161bf new rule from thedfirreport.com 2022-03-15 16:39:12 +01:00
Paul Hager 3b09f1c9da new rule from thedfirreport.com 2022-03-15 16:38:27 +01:00
Paul Hager 20125d87c2 new rule from thedfirreport.com 2022-03-15 16:36:57 +01:00
Florian Roth df0d93baa0 Merge pull request #2805 from ionsor/patch-4 
Update win_dcsync.yml
 2022-03-15 16:02:17 +01:00
Florian Roth dd5e10c2f5 Merge pull request #2803 from redsand/fp_remote_powershell_valid_call_ms_archive 
FP on valid remote call of Powershell Archive.psm1, maybe beneficial …
 2022-03-15 12:53:40 +01:00
Feathers 8014c477cd Update win_dcsync.yml 
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
 2022-03-15 12:37:07 +01:00
Tim Shelton bda0f3cfe0 FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future 2022-03-14 22:23:06 +00:00