security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1296 from mat-gas/fix-references

Browse Source 
fix "references" field + add test for references in plural form
This commit is contained in:
Florian Roth
2020-12-21 18:25:35 +01:00
committed by GitHub
parent 377454cb31 b3e36281b5
commit e78d7e6aee
10 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/web/win_webshell_regeorg.yml
+2 -2
View File
@@ -5,7 +5,7 @@ description: Certain strings in the uri_query field when combined with null refe
author: Cian Heasley
date: 2020/08/04
modified: 2020/09/03
reference:
references:
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
- https://github.com/sensepost/reGeorg
logsource:
@@ -34,4 +34,4 @@ level: high
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
- attack.t1505.003
rules/windows/other/win_defender_history_delete.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: 2afe6582-e149-11ea-87d0-0242ac130003
status: experimental
description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
author: Cian Heasley
reference:
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
date: 2020/08/13
tags:
rules/windows/process_creation/win_control_panel_item.yml
+1 -1
View File
@@ -2,7 +2,7 @@ title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the malicious use of a control panel item
reference:
references:
- https://attack.mitre.org/techniques/T1196/
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
tags:
rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: b11d75d6-d7c1-11ea-87d0-0242ac130003
status: experimental
description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
author: Cian Heasley
reference:
references:
- https://github.com/lukebaggett/dnscat2-powershell
- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
rules/windows/process_creation/win_mouse_lock.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: experimental
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
author: Cian Heasley
reference:
references:
- https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
- https://sourceforge.net/projects/mouselock/
date: 2020/08/13
rules/windows/process_creation/win_webshell_detection.yml
+1 -1
View File
@@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth
reference:
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
date: 2017/01/01
modified: 2019/10/26
rules/windows/process_creation/win_webshell_recon_detection.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: f64e5c19-879c-4bae-b471-6d84c8339677
status: experimental
description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
author: Cian Heasley
reference:
references:
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
date: 2020/07/22
tags:
rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
+2 -2
View File
@@ -3,7 +3,7 @@ id: 62120148-6b7a-42be-8b91-271c04e281a3
description: Detects Processes accessing the camera and microphone from suspicious folder
author: Den Iuzvyk
date: 2020/06/07
reference:
references:
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
tags:
- attack.collection
@@ -31,4 +31,4 @@ detection:
condition: all of selection_*
falsepositives:
- Unlikely, there could be conferencing software running from a Temp folder accessing the devices
level: high
level: high
rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
+1 -1
View File
@@ -2,7 +2,7 @@ title: Avusing Azure Browser SSO
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
author: Den Iuzvyk
reference:
references:
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
date: 2020/07/15
modified: 2020/08/26