security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,001 Commits 1 Branch 57 Tags
e9ed7d05e1e925a89fc0c8bcbbbeaca4dcbb88dd
Commit Graph

1258 Commits

Author SHA1 Message Date
Florian Roth cd8ed9870c fix: FPs noticed with Aurora 2022-09-30 20:01:07 +02:00
Florian Roth 14fdf75ab5 fix: FPs noticed with THOR 2022-09-29 13:51:09 +02:00
Florian Roth 5533d7367f Merge pull request #3539 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-29 11:01:13 +02:00
Florian Roth ec329f403a fix: Aurora FPs with Nvidia update 2022-09-28 19:31:22 +02:00
Yamato Security e44e01e106 update modified tag 2022-09-28 06:32:34 +09:00
Yamato Security 979502921f define security-mitigations service 2022-09-28 06:23:50 +09:00
Florian Roth d2f7ff8059 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-27 10:47:21 +02:00
Florian Roth 5e6a926ac3 fix: FPs 2022-09-27 10:47:19 +02:00
frack113 fb84ee92bb Merge pull request #3504 from YamatoSecurity/update-app-uninstalled-rule 
update application uninstalled rule
 2022-09-23 07:24:30 +02:00
frack113 ac9b12b6bb Update win_builtin_remove_application.yml 2022-09-23 07:14:31 +02:00
Yamato Security 6497cb7745 Keep at level: low 2022-09-23 03:37:00 +09:00
frack113 ca200d9d75 Merge pull request #3509 from amjcyber/patch-2 
Update win_impacket_psexec.yml
 2022-09-22 17:49:02 +02:00
frack113 6c70c6d35a Update win_impacket_psexec.yml 2022-09-22 17:42:27 +02:00
Florian Roth cab32f2be4 Merge pull request #3510 from SigmaHQ/aurora-false-positive-fixing 
Windows 2022 false positive fixing
 2022-09-18 16:50:34 +02:00
Florian Roth b6e595a8eb Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-09-18 16:21:49 +02:00
Florian Roth bf660b2de2 fix: FPs (testing, and Windows 2022 test system) 2022-09-18 16:21:05 +02:00
Arturo 17e9b5ee31 Update win_impacket_psexec.yml 
Based on recent tests, the original RelativeTargetName from this rule are not accurate. The last "t" from each selection must be deleted in order to detect the predefined impacket psexec behavior.
 2022-09-18 15:38:54 +02:00
Florian Roth e6d2faf25f Merge pull request #3507 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-09-18 11:47:16 +02:00
Florian Roth 34957a784b fix: modified date update 2022-09-18 10:42:19 +02:00
Florian Roth 2e8717d603 fix: taskhostw FPs with lsass access 2022-09-18 10:39:56 +02:00
tr0mb1r 8b60317e2e Microsoft Teams Suspicious ObjectAccess events (#3500) 2022-09-17 08:47:35 +02:00
Yamato Security 8afb971e20 update application uninstalled rule 2022-09-17 07:46:31 +09:00
Florian Roth cb4dcded1e Merge pull request #3452 from FabFaeb/master 
Add rule: Repeated failed mounting of administrative share
 2022-09-16 21:12:09 +02:00
Florian Roth 92b6ba95e6 reduce the timeframe to 1min 2022-09-16 09:12:08 +02:00
nasreddine.bencherchali@nextron-systems.com 653ad66f21 Updates 2022-09-14 12:29:57 +02:00
frack113 b9cc206d9d Update win_susp_computer_name.yml 2022-09-09 18:53:48 +02:00
Florian Roth 860c45a038 added time frame 2022-09-09 17:07:45 +02:00
David ANDRE 9a77542bc6 Add comment to explain lack of eventID\nBetter description 2022-09-09 16:11:07 +02:00
David ANDRE b170af5687 Added rule for sam the admin suspicious computer 2022-09-09 16:08:19 +02:00
FabFaeb cfb90d0d01 merge 2022-09-07 16:54:28 +02:00
FabFaeb a8eb1ba972 rename rule 2022-09-07 16:52:09 +02:00
Florian Roth cab6ccc18a Merge branch 'master' into aurora-false-positive-fixing 2022-09-05 16:57:10 +02:00
David André 8a595cd3fd Merge branch 'SigmaHQ:master' into add_quotes_to_strings 2022-09-04 10:10:14 +02:00
Florian Roth 3d9d90f43e Update win_susp_failed_admin_share_mount.yml 2022-09-02 17:24:28 +02:00
Florian Roth 3ee77e1446 fix: FPs noticed with Aurora 2022-09-02 16:57:23 +02:00
FabFaeb ab9e15f456 fix title 2022-09-01 17:05:32 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Nasreddine Bencherchali b0bd1a2184 Update win_msi_install_from_susp_locations.yml 2022-08-31 13:55:30 +02:00
Nasreddine Bencherchali 7b92cbb6d0 Create win_msi_install_from_susp_locations.yml 2022-08-31 13:54:50 +02:00
FabFaeb df2ef5a2ee added missing newline 2022-08-31 09:59:29 +02:00
FabFaeb 3a020ce499 added "failed admin share mount" rule 2022-08-31 09:57:09 +02:00
Nasreddine Bencherchali ea183cae13 Updates+New Rules 2022-08-31 09:39:16 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
Wagga f73e1c9b36 Update win_system_application_sysmon_crash.yml 2022-08-29 07:37:40 +02:00
Wagga 560bd7848e Update win_service_install_pdqdeploy_runner.yml 2022-08-29 07:31:18 +02:00
Wagga 2e1467aa59 Update win_mssql_disable_audit_settings.yml 2022-08-29 07:29:50 +02:00
Wagga f85cd9040d Update win_security_mitigations_defender_load_unsigned_dll.yml 2022-08-29 07:24:32 +02:00
Florian Roth 33cd3e9fd9 Merge branch 'master' into rule-devel 2022-08-26 22:49:54 +02:00
Florian Roth 7c486fcf83 refactor: removed unfitting tags 2022-08-26 20:53:54 +02:00
Florian Roth dcec3280fc merge: Nasreddine's Sliver rules 2022-08-26 20:51:39 +02:00