security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2670 from SigmaHQ/aurora-false-positive-fixing

Browse Source 
refactor: reduced level of TeamViewer rule
This commit is contained in:
Florian Roth
2022-02-08 22:05:34 +01:00
committed by GitHub
parent ef23efa60f 9c7679e319
commit 98249b6916
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/dns_query/dns_net_susp_teamviewer.yml
+2 -1
View File
@@ -3,6 +3,7 @@ id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
status: experimental
date: 2022/01/30
modified: 2022/02/08
author: Florian Roth
references:
- https://www.teamviewer.com/en-us/
@@ -23,4 +24,4 @@ detection:
falsepositives:
- Unknown binary names of TeamViewer
- Other programs that also lookup the observed domain
level: high
level: medium