security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: removed ' from references

Browse Source
This commit is contained in:
Tim Rauch
2022-09-29 10:21:01 +02:00
parent 81a112e35b d35ea51136
commit 58e5b9f419
14 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+4 -4
View File
@@ -5,10 +5,10 @@ status: experimental
date: 2021/05/04
modified: 2022/02/24
references:
- 'https://twitter.com/neu5ron/status/1346245602502443009'
- 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
- 'https://tools.ietf.org/html/rfc2929#section-2.1'
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
- https://twitter.com/neu5ron/status/1346245602502443009
- https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
- https://tools.ietf.org/html/rfc2929#section-2.1
- https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
tags:
- attack.t1095
rules/windows/builtin/security/win_security_service_installation_by_ unusal_client.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- 'https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html'
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch
date: 2022/09/15
logsource:
rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- 'https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html'
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch
date: 2022/09/15
logsource:
rules/windows/file_delete/file_delete_win_webserver_access_logs_deleted.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: 3eb8c339-a765-48cc-a150-4364c04652bf
status: experimental
description: Detects the deletion of WebServer access logs which may indicte the attempt to destroy forensic evidence
references:
- 'https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html'
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch
date: 2022/09/16
logsource:
rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
references:
- 'https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html'
- https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
author: Tim Rauch
date: 2022/09/16
logsource:
rules/windows/powershell/powershell_script/posh_ps_win_firewall_disabled.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects that the Windows Firewall is disabled using PowerShell
references:
- 'https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html'
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Tim Rauch
date: 2022/09/14
logsource:
rules/windows/process_creation/proc_creation_win_defender_exclusions_via_powershell.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
references:
- 'https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html'
- https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
author: Tim Rauch
date: 2022/09/16
logsource:
rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
status: experimental
description: Detects that the Windows Firewall is disabled using PowerShell
references:
- 'https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html'
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Tim Rauch
date: 2022/09/14
logsource:
rules/windows/process_creation/proc_creation_win_network_enumeration.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: 8aefd180-56e6-4850-a205-a26c61a24a8f
status: experimental
description: Detects net.exe or net1.exe used for network enumeration
references:
- 'https://www.elastic.co/guide/en/security/current/windows-network-enumeration.html'
- https://www.elastic.co/guide/en/security/current/windows-network-enumeration.html
author: Tim Rauch
date: 2022/09/15
logsource:
rules/windows/process_creation/proc_creation_win_script_executing_powershell.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: c0464058-4954-4536-896d-7b16315be56f
status: experimental
description: Detects wscript.exe or script.exe executing powershell.exe
references:
- 'https://www.elastic.co/guide/en/security/current/windows-script-executing-powershell.html'
- https://www.elastic.co/guide/en/security/current/windows-script-executing-powershell.html
author: Tim Rauch
date: 2022/09/15
logsource:
rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml
+1 -1
View File
@@ -5,7 +5,7 @@ description: Execution of well known tools for data exfiltration and tunneling
author: Florian Roth
date: 2022/08/04
references:
- 'https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/'
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
logsource:
category: process_creation
product: windows
rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: experimental
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
- 'https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack'
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch
date: 2022/09/27
logsource:
rules/windows/process_creation/proc_creation_win_unusual_child_process_of_conhost.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: 23f6015f-4b63-4bb7-a9e5-7857ef5b538f
status: experimental
description: Detects a suspicious Conhost child process which may be an indication of code injection activity
references:
- 'https://www.elastic.co/guide/en/security/current/suspicious-process-from-conhost.html'
- https://www.elastic.co/guide/en/security/current/suspicious-process-from-conhost.html
author: Tim Rauch
date: 2022/09/27
logsource:
rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: experimental
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation
references:
- 'https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html'
- https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html
author: Tim Rauch
date: 2022/09/27
logsource: