security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

1034 Commits

Author SHA1 Message Date
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
JSHOX1 81292263ba Update win_susp_ntlm_brute_force.yml 2022-02-02 16:18:20 -05:00
JSHOX1 1346d93e95 Update win_susp_ntlm_brute_force.yml 2022-02-02 12:25:07 -05:00
JSHOX1 50fb36c4cb Create win_susp_ntlm_brute_force.yml 2022-02-02 09:24:13 -05:00
Florian Roth ef955b92ae Merge branch 'master' into aurora-false-positive-fixing 2022-02-02 13:49:23 +01:00
phantinuss 2d36c6222d fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
frack113 7053d42e43 move to builtin 2022-01-21 11:59:13 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Tom Maier 2cd464e77c Adjusted modified field to current date 2022-01-17 14:18:33 +01:00
Tom Maier 82e7ce7799 Adjust case sensitivity of Provider_Name field 2022-01-17 10:36:09 +01:00
Florian Roth c1e1809dae Merge pull request #2570 from SigmaHQ/rule-devel 
Admin Share rules, JS RunHTMLApplication
 2022-01-16 22:44:02 +01:00
Florian Roth a3a9e2add8 fix: wrong modifier 2022-01-16 17:43:55 +01:00
Florian Roth be224a6f37 rule: new rules covering admin share activity 2022-01-16 17:40:50 +01:00
frack113 5890c1bb20 Fix logsource 2022-01-16 08:56:51 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
frack113 ac240b1487 Merge pull request #2527 from frack113/promote_366d 
Change status to test
 2022-01-09 08:02:36 +01:00
Florian Roth 6f7d28b52a Merge pull request #2532 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-01-08 15:57:31 +01:00
Florian Roth bdbb156090 fix: FPs noticed with Aurora 2022-01-08 15:12:17 +01:00
Florian Roth 3cf4c9845c Merge pull request #2530 from SigmaHQ/rule-devel 
docs: changed title of rules that were equal
 2022-01-07 14:15:17 +01:00
Florian Roth d31f5258eb docs: changed title of rules that were equal 2022-01-07 13:07:35 +01:00
frack113 c6014b1205 Change status to test 2022-01-07 07:04:24 +01:00
Florian Roth 70deac6240 Merge pull request #2525 from SigmaHQ/rule-devel 
rule: changed some rules, LOLBIN AccCheckConsole
 2022-01-06 21:10:03 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth ae05f4d73a fix: reduced the set even more 2022-01-05 16:50:59 +01:00
Florian Roth 3386a3649e fix: massive performance impact of keyword-based rule 2022-01-05 14:12:13 +01:00
Florian Roth 73c7c5790c docs: removed tracking info from reference link 2021-12-27 11:52:16 +01:00
Florian Roth e9702af82b rule: sAMAccountName Spoofing CVE-2021-42287 2021-12-22 08:50:05 +01:00
David André 2ce0529792 Merge branch 'SigmaHQ:master' into add_mimikatz_keywords 2021-12-21 09:26:51 +01:00
Florian Roth 3c7b4b7225 Update win_alert_mimikatz_keywords.yml 2021-12-20 18:40:19 +01:00
Florian Roth 12387fc275 Update win_alert_mimikatz_keywords.yml 2021-12-20 17:28:42 +01:00
Florian Roth 5d3f39e317 fix: duplicate entry 2021-12-20 12:53:45 +01:00
David ANDRE ed17c07aff Corrected alignment 2021-12-20 09:25:05 +01:00
David ANDRE d2f9a9c63e Added mimikatz keywords from user published documentation 2021-12-20 08:56:13 +01:00
frack113 b368d036cf change level to medium 2021-12-16 22:44:45 +01:00
frack113 4f866f8da3 fix detection 2021-12-15 10:04:37 +01:00
frack113 8908c4ca8e Add win_vul_cve_2021_42278_or_cve_2021_42287 2021-12-15 09:32:39 +01:00
frack113 93c5d8b361 Add win_vul_cve_2021_42278_or_cve_2021-42287 2021-12-15 09:24:23 +01:00
Florian Roth baa1dcd608 Merge pull request #2417 from stbe/imp_lsass_defender 
Added Defender to win_susp_lsass_dump_generic.yml
 2021-12-10 00:00:22 +01:00
stbe 44db55c4fd Refined definition of defender executable 2021-12-09 22:55:09 +01:00
frack113 e049058d14 Merge pull request #2415 from frack113/condition 
builtin/security simplified condition
 2021-12-09 16:24:24 +01:00
stbe 20f185f2b8 Added Defender to win_susp_lsass_dump_generic.yml 2021-12-09 13:57:09 +01:00
Florian Roth af2c6a0ecb Lower the level to "low" 
In case that some backends/scripts/tools don't respect the "deprecated" status
 2021-12-09 13:01:12 +01:00
frack113 62207b80ba Change to deprecated as too many FP 2021-12-09 09:34:08 +01:00
frack113 3ce9336e79 simplified condition 2021-12-08 20:12:57 +01:00
Florian Roth 157fa31f1b Merge pull request #2400 from redsand/fixing_errs_with_invoke_obfus 
Fixing errs with invoke obfus
 2021-12-08 14:49:42 +01:00