security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1296 from mat-gas/fix-references

Browse Source 
fix "references" field + add test for references in plural form
This commit is contained in:
Florian Roth
2020-12-21 18:25:35 +01:00
committed by GitHub
parent 377454cb31 b3e36281b5
commit e78d7e6aee
10 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_control_panel_item.yml
+1 -1
View File
@@ -2,7 +2,7 @@ title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the malicious use of a control panel item
reference:
references:
- https://attack.mitre.org/techniques/T1196/
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
tags:
rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: b11d75d6-d7c1-11ea-87d0-0242ac130003
status: experimental
description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
author: Cian Heasley
reference:
references:
- https://github.com/lukebaggett/dnscat2-powershell
- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
rules/windows/process_creation/win_mouse_lock.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: experimental
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
author: Cian Heasley
reference:
references:
- https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
- https://sourceforge.net/projects/mouselock/
date: 2020/08/13
rules/windows/process_creation/win_webshell_detection.yml
+1 -1
View File
@@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth
reference:
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
date: 2017/01/01
modified: 2019/10/26
rules/windows/process_creation/win_webshell_recon_detection.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: f64e5c19-879c-4bae-b471-6d84c8339677
status: experimental
description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
author: Cian Heasley
reference:
references:
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
date: 2020/07/22
tags: