security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,973 Commits 1 Branch 57 Tags
0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2
Commit Graph

992 Commits

Author SHA1 Message Date
Florian Roth a60426e4a2 Update win_alert_lsass_access.yml 2022-02-07 15:43:04 +01:00
phantinuss ed2025e626 fix: FPs 2022-02-07 15:32:15 +01:00
Florian Roth 44221ed95e fix: Aurora Sigma rule matches in application log 2022-02-05 21:38:10 +01:00
Florian Roth 48aeae8ca9 Merge pull request #2631 from JSHOX1/patch-1 
Create win_susp_ntlm_brute_force.yml
 2022-02-04 00:49:27 +01:00
Florian Roth e6fb282064 Merge pull request #2637 from ruppde/master 
Update win_av_relevant_match.yml
 2022-02-03 22:28:19 +01:00
Florian Roth 20463ed18e Update win_susp_ntlm_brute_force.yml 2022-02-03 22:02:33 +01:00
Florian Roth 46f094d6f9 Merge pull request #2635 from SigmaHQ/rule-devel 
refactor: avoid regex use
 2022-02-03 21:56:58 +01:00
Arnim Rupp aab00905f1 Update win_av_relevant_match.yml 
Add Ransomware and Cobalt Strike strings.
 2022-02-03 21:43:42 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
JSHOX1 81292263ba Update win_susp_ntlm_brute_force.yml 2022-02-02 16:18:20 -05:00
JSHOX1 1346d93e95 Update win_susp_ntlm_brute_force.yml 2022-02-02 12:25:07 -05:00
JSHOX1 50fb36c4cb Create win_susp_ntlm_brute_force.yml 2022-02-02 09:24:13 -05:00
Florian Roth ef955b92ae Merge branch 'master' into aurora-false-positive-fixing 2022-02-02 13:49:23 +01:00
phantinuss 2d36c6222d fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
frack113 7053d42e43 move to builtin 2022-01-21 11:59:13 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Tom Maier 2cd464e77c Adjusted modified field to current date 2022-01-17 14:18:33 +01:00
Tom Maier 82e7ce7799 Adjust case sensitivity of Provider_Name field 2022-01-17 10:36:09 +01:00
Florian Roth c1e1809dae Merge pull request #2570 from SigmaHQ/rule-devel 
Admin Share rules, JS RunHTMLApplication
 2022-01-16 22:44:02 +01:00
Florian Roth a3a9e2add8 fix: wrong modifier 2022-01-16 17:43:55 +01:00
Florian Roth be224a6f37 rule: new rules covering admin share activity 2022-01-16 17:40:50 +01:00
frack113 5890c1bb20 Fix logsource 2022-01-16 08:56:51 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
frack113 ac240b1487 Merge pull request #2527 from frack113/promote_366d 
Change status to test
 2022-01-09 08:02:36 +01:00
Florian Roth 6f7d28b52a Merge pull request #2532 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-08 15:57:31 +01:00
Florian Roth bdbb156090 fix: FPs noticed with Aurora 2022-01-08 15:12:17 +01:00
Florian Roth 3cf4c9845c Merge pull request #2530 from SigmaHQ/rule-devel 
docs: changed title of rules that were equal
 2022-01-07 14:15:17 +01:00
Florian Roth d31f5258eb docs: changed title of rules that were equal 2022-01-07 13:07:35 +01:00
frack113 c6014b1205 Change status to test 2022-01-07 07:04:24 +01:00
Florian Roth 70deac6240 Merge pull request #2525 from SigmaHQ/rule-devel 
rule: changed some rules, LOLBIN AccCheckConsole
 2022-01-06 21:10:03 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth ae05f4d73a fix: reduced the set even more 2022-01-05 16:50:59 +01:00
Florian Roth 3386a3649e fix: massive performance impact of keyword-based rule 2022-01-05 14:12:13 +01:00
Florian Roth 73c7c5790c docs: removed tracking info from reference link 2021-12-27 11:52:16 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 12387fc275 Update win_alert_mimikatz_keywords.yml 2021-12-20 17:28:42 +01:00
Florian Roth 5d3f39e317 fix: duplicate entry 2021-12-20 12:53:45 +01:00
David ANDRE ed17c07aff Corrected alignment 2021-12-20 09:25:05 +01:00
David ANDRE d2f9a9c63e Added mimikatz keywords from user published documentation 2021-12-20 08:56:13 +01:00
frack113 b368d036cf change level to medium 2021-12-16 22:44:45 +01:00
frack113 4f866f8da3 fix detection 2021-12-15 10:04:37 +01:00
frack113 8908c4ca8e Add win_vul_cve_2021_42278_or_cve_2021_42287 2021-12-15 09:32:39 +01:00
frack113 93c5d8b361 Add win_vul_cve_2021_42278_or_cve_2021-42287 2021-12-15 09:24:23 +01:00