security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

36 Commits

Author SHA1 Message Date
Florian Roth 3870fd81a1 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-07-31 13:23:11 +02:00
Florian Roth 9795bf6f57 fix: FPs with git.exe 2022-07-31 13:22:39 +02:00
Florian Roth 9ca043863e fix: FPs noticed with Aurora 2022-07-28 16:58:24 +02:00
Florian Roth 3286d16f3a Merge branch 'master' into aurora-false-positive-fixing 2022-07-20 13:03:56 +02:00
Florian Roth 634722c786 fix: FPs noticed with Aurora 2022-07-20 13:02:49 +02:00
Nasreddine Bencherchali 16b2945027 New Rules + Update 2022-07-14 17:35:50 +01:00
Nasreddine Bencherchali 8b9307de30 Update selections 2022-07-07 20:55:19 +01:00
Nasreddine Bencherchali aec95b6d65 Update selections and indentation 2022-07-07 20:13:45 +01:00
Florian Roth 3754075ae6 fix: FP with git.exe 2022-06-30 18:25:31 +02:00
Florian Roth fd7b8d1c4f fix: FPs 2022-06-29 13:20:57 +02:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
Nasreddine Bencherchali 97856b562a Add "\" to "Image|endswith" modifier 
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on  default windows binaries to avoid changing logic of other rules.
 2022-06-02 13:39:07 +01:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
Florian Roth 69afab9b9a Update create_remote_thread_win_ttdinjec.yml 2022-05-16 16:52:27 +02:00
frack113 c240824bd0 ttdinject lolbin 2022-05-16 09:10:28 +02:00
Timon Hackenjos 649d2b2a22 rule: KeePass password dumping 2022-04-23 18:25:11 +02:00
phantinuss f5ca5c0579 fix: FPs from fresh Windows 2022 install 2022-04-07 14:15:44 +02:00
phantinuss 9376859b06 fix: remove duplicate list entry 2022-04-06 17:14:34 +02:00
phantinuss 4780447102 fix: FPs from fresh Win7 install 2022-04-06 17:07:00 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Florian Roth 16cac67751 fix: indentation 2022-03-16 15:35:54 +01:00
Florian Roth 1099c5630e rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 ebcfcfebf4 Fix field name 2021-11-20 19:14:59 +01:00
frack113 8e39eb7fde Remove useless EventID 2021-11-12 11:28:09 +01:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
frack113 0fb6c35b1f Cleanup PS rules 2021-08-21 09:58:58 +02:00
wagga40 11df697cdc Updated rules with modifiers instead of '*' and remove trailing '\\' 2021-06-27 14:51:29 +02:00
frack113 b23423beba convert to TargetImage|endswith 2021-06-21 20:51:26 +02:00
Jonhnathan e218c32a4c Update Threat Hunter Playbook Reference 2021-05-22 01:00:39 -03:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Steven 0c9a82af89 - Remove 'service: sysmon' since defining the categories made the rules generic 2020-10-02 09:37:52 +02:00
Steven 8b74abe0bc - Created new categories for sysmon events 
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
 2020-09-30 20:44:14 +02:00