security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,444 Commits 1 Branch 57 Tags
fda9c753e2dcbefeebfdb1505428feeeb2d5fef1
Commit Graph

209 Commits

Author SHA1 Message Date
Florian Roth fda9c753e2 Update image_load_msdt_sdiageng.yml 2022-06-17 18:46:14 +02:00
Florian Roth 725cadc902 Update image_load_msdt_sdiageng.yml 2022-06-17 08:49:17 +02:00
eiger 764dbc4e3c Fix: Sigma title error 2022-06-17 14:40:01 +08:00
eiger e4ab54d60f Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:41:08 +08:00
eiger 7444869de3 Rule: Follina and DogWalk exploit msdt.exe loading sdiageng.dll 2022-06-17 09:29:20 +08:00
eiger 21edcafa36 Rule: Follina or DogWalk exploit sdiageng.dll 2022-06-17 09:21:57 +08:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
phantinuss 465886d6e3 fix: FP found in testing 2022-05-27 15:16:30 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 196aa6d83d move deprecated rules 2022-05-14 09:42:32 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Tobias Michalski cf608cf730 fix: false positive fix 2022-05-06 14:24:04 +02:00
Florian Roth 892025474d fix: FPs noticed with Aurora 2022-05-02 16:25:33 +02:00
phantinuss 13e31e8383 fix: FPs found in win2022 domain controller baseline 2022-04-21 10:48:59 +02:00
Max Altgelt 026490921c fix: Add FP exclusion for vss_ps.dll load 
The scheduled task that creates restore points apparently runs
rundll32.exe and loads this DLL.
 2022-04-07 10:49:10 +02:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 7fb8272f94 Name Normalization 
Name Normalization
 2022-02-27 10:58:14 +01:00
Tobias Michalski 15c61b42bf fix: Set rule to medium due to too many filters 2022-02-23 11:03:23 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
Florian Roth 2500c16aea fix: FPs noticed with Aurora 2022-02-16 17:00:27 +01:00
Florian Roth 98dbfe1ff6 fix: too many matches on many programs 
... running from every other locations
 2022-02-12 00:44:42 +01:00
phantinuss 97f4b8a1e9 fix: mandatory escaping of \* 2022-02-10 16:16:42 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
phantinuss 43bae23f23 fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2022-02-09 17:47:22 +01:00
frack113 54c2dcdafb Add CVE-2022–22718 2022-02-09 08:40:04 +01:00
Florian Roth 8aad83a737 fix: far too many FPs with new Advapi31.dll rule 2022-02-04 14:03:14 +01:00
frack113 d56261cd70 aurora OneDrive FP 2022-02-04 09:32:29 +01:00
Florian Roth 84660da583 Update image_load_susp_advapi32_dll.yml 2022-02-03 22:00:24 +01:00
frack113 1ac80bebf8 add image_load_susp_advapi32_dll 2022-02-03 18:54:34 +01:00
Florian Roth 6c2dea3a8c fix: FPs noticed with Aurora 2022-02-01 15:57:44 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Florian Roth f77da595c4 fix: FPs noticed with Aurora 2022-01-12 11:32:34 +01:00
Florian Roth 0f8a3bc356 fix: FP noticed with Aurora 2022-01-06 21:06:29 +01:00
frack113 d74458a0e0 Windows 2019 2022-01-02 16:12:30 +01:00
frack113 7d200d95f3 Aurora FP 2021-12-27 17:13:17 +01:00
frack113 372023d3c0 Fix aurora FP 2021-12-16 09:45:50 +01:00
Florian Roth 2f43e6815b Merge pull request #2440 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-12 14:20:09 +01:00
Florian Roth c6819861c9 fix: FPs noticed with Aurora 2021-12-12 13:09:27 +01:00
frack113 4baeddbf16 change to test 2021-12-08 18:06:03 +01:00
frack113 f6af9f6f0b OneDrive FP 2021-12-08 17:31:41 +01:00
Florian Roth 506631485e fix: FPs noticed with Aurora 2021-12-07 10:38:10 +01:00
Florian Roth ea7de1f2dd fix: FPs noticed with Aurora 2021-12-06 16:09:50 +01:00
Florian Roth 48289bdab9 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2021-12-05 11:21:43 +01:00
Florian Roth cb4ee6fbee fix: FPs noticed with Aurora 2021-12-05 11:21:40 +01:00
Florian Roth 4a1b6bb5f8 Merge pull request #2380 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2021-12-04 12:12:18 +01:00
Florian Roth 0bc0502b24 fix: FPs noticed with Aurora 2021-12-04 10:57:13 +01:00
frack113 5e0326f461 Merge pull request #2376 from frack113/fix_FP 
Fix some FP
 2021-12-04 08:57:58 +01:00
frack113 18d35e6477 Use 1 of filter 2021-12-04 08:12:23 +01:00