fix: fixed missing date fields in other files

2020-01-30 15:32:39 +01:00
parent 617ece1aa2
commit efd3af0812
33 changed files with 55 additions and 26 deletions
@@ -2,6 +2,7 @@ title: Python SQL Exceptions
 id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
+date: 2017/08/12
 references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@@ -18,4 +19,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -3,6 +3,7 @@ id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
+date: 2017/11/27
 references:
    - http://www.sqlinjection.net/errors
 logsource:
@@ -2,6 +2,7 @@ title: Django framework exceptions
 id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/05
 references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@@ -29,4 +30,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -2,6 +2,7 @@ title: Ruby on Rails framework exceptions
 id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
@@ -22,4 +23,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -2,6 +2,7 @@ title: Spring framework exceptions
 id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@@ -21,4 +22,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -9,6 +9,8 @@ tags:
    - attack.persistence
    - attack.g0016
    - attack.t1050
+date: 2017/11/01
+author: Thomas Patzke 
 logsource:
    product: windows
    service: system
@@ -27,6 +29,6 @@ logsource:
    product: windows
 detection:
    process:
-        Image: 
+        Image:
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
@@ -7,6 +7,8 @@ tags:
    - attack.persistence
    - attack.g0010
    - attack.t1050
+date: 2017/03/31
+author: Florian Roth
 logsource:
    product: windows
    service: system
@@ -16,7 +18,7 @@ detection:
        ServiceName:
            - 'srservice'
            - 'ipvpn'
-            - 'hkmsvc' 
+            - 'hkmsvc'
    condition: selection
 falsepositives:
    - Unknown
@@ -2,6 +2,7 @@ title: WMIExec VBS Script
 id: 966e4016-627f-44f7-8341-f394905c361f
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
+date: 2017/04/07
 references:
    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 tags:
@@ -7,6 +7,7 @@ references:
 tags:
    - attack.g0035
 author: Markus Neis
+date: 2018/04/08
 logsource:
    category: process_creation
    product: windows
@@ -15,6 +16,6 @@ detection:
        Image:
            - '*\crackmapexec.exe'
    condition: selection
-falsepositives: 
-    - None 
-level: critical
+falsepositives:
+    - None
+level: critical
@@ -8,6 +8,7 @@ tags:
    - attack.command_and_control
    - attack.g0020
 author: Florian Roth
+date: 2017/04/15
 logsource:
    category: firewall
 detection:
@@ -1,6 +1,7 @@
 title: Equation Group DLL_U Load
 id: d465d1d8-27a2-4cca-9621-a800f37cf72e
 author: Florian Roth
+date: 2019/03/04
 description: Detects a specific tool and export used by EquationGroup
 references:
    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
@@ -8,6 +8,7 @@ tags:
    - attack.g0020
    - attack.t1059
 author: Florian Roth
+date: 2017/04/09
 logsource:
    product: linux
 detection:
@@ -4,6 +4,7 @@ id: 440a56bf-7873-4439-940a-1c8a671073c2
 status: experimental
 description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
 author: Tim Burrell
+date: 2020/01/02
 references:
    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
@@ -47,7 +48,7 @@ logsource:
 detection:
    c2_selection:
        EventID: 257
-        QNAME: 
+        QNAME:
            - 'asyspy256.ddns.net'
            - 'hotkillmail9sddcc.ddns.net'
            - 'rosaf112.ddns.net'
@@ -1,6 +1,7 @@
 title: Hurricane Panda Activity
 id: 0eb2107b-a596-422e-b123-b389d5594ed7
 author: Florian Roth
+date: 2019/03/04
 status: experimental
 description: Detects Hurricane Panda Activity
 references:
@@ -14,11 +15,10 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine: 
+        CommandLine:
            - '* localgroup administrators admin /add'
            - '*\Win64.exe*'
    condition: selection
 falsepositives:
    - Unknown
 level: high
-
@@ -10,6 +10,7 @@ tags:
    - attack.lateral_movement
    - attack.t1105
 author: Florian Roth
+date: 2017/06/01
 detection:
    condition: 1 of them
 fields:
@@ -29,7 +30,7 @@ logsource:
 detection:
    selection1:
        EventID: 13
-        TargetObject: 
+        TargetObject:
            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
@@ -40,4 +41,3 @@ logsource:
 detection:
    selection2:
        Command: 'loaddll -a *'
-
@@ -2,6 +2,7 @@ action: global
 title: Defrag Deactivation
 id: 958d81aa-8566-4cea-a565-59ccd4df27b0
 author: Florian Roth
+date: 2019/03/04
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
    - https://securelist.com/apt-slingshot/84312/
@@ -20,13 +21,13 @@ logsource:
    product: windows
 detection:
    selection1:
-        CommandLine: 
+        CommandLine:
            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
 ---
 logsource:
    product: windows
    service: security
-    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
 detection:
    selection2:
        EventID: 4701
@@ -2,6 +2,7 @@ title: Sofacy Trojan Loader Activity
 id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
 author: Florian Roth
 status: experimental
+date: 2018/03/01
 description: Detects Trojan loader acitivty as used by APT28
 references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
@@ -19,7 +20,7 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine: 
+        CommandLine:
            - 'rundll32.exe %APPDATA%\\*.dat",*'
            - 'rundll32.exe %APPDATA%\\*.dll",#1'
    condition: selection
@@ -2,6 +2,7 @@ title: StoneDrill Service Install
 id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
 author: Florian Roth
+date: 2017/03/07
 references:
    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 tags:
@@ -2,6 +2,7 @@ title: TropicTrooper Campaign November 2018
 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
 author: '@41thexplorer, Windows Defender ATP'
 status: stable
+date: 2019/11/12
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
@@ -15,4 +16,4 @@ detection:
    selection:
        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
    condition: selection
-level: high
+level: high
@@ -2,6 +2,7 @@ action: global
 title: Turla Group Lateral Movement
 id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
 status: experimental
+date: 2017/11/08
 description: Detects automated lateral movement by Turla group
 references:
    - https://securelist.com/the-epic-turla-operation/65545/
@@ -24,7 +25,7 @@ falsepositives:
 ---
 detection:
   selection:
-      CommandLine: 
+      CommandLine:
         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
         - 'dir c:\\*.doc* /s'
         - 'dir %TEMP%\\*.exe'
@@ -39,5 +40,5 @@ detection:
   netCommand3:
      CommandLine: 'net share'
   timeframe: 1m
-   condition: netCommand1 | near netCommand2 and netCommand3 
+   condition: netCommand1 | near netCommand2 and netCommand3
 level: medium
@@ -2,6 +2,7 @@ title: ZxShell Malware
 id: f0b70adb-0075-43b0-9745-e82a1c608fcc
 description: Detects a ZxShell start by the called and well-known function name
 author: Florian Roth
+date: 2017/07/20
 references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 tags:
@@ -15,7 +16,7 @@ logsource:
    product: windows
 detection:
    selection:
-        Command: 
+        Command:
            - 'rundll32.exe *,zxFunction*'
            - 'rundll32.exe *,RemoteDiskXXXXX'
    condition: selection
@@ -1,6 +1,8 @@
 title: Buffer Overflow Attempts
 id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
 description: Detects buffer overflow attempts in Unix system log files
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
@@ -1,6 +1,8 @@
 title: Relevant ClamAV Message
 id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
 description: Detects relevant ClamAV messages
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
@@ -2,6 +2,7 @@ title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
+date: 2017/03/25
 logsource:
    product: linux
 detection:
@@ -1,6 +1,8 @@
 title: Shellshock Expression
 id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 description: Detects shellshock expressions in log files
+date: 2017/03/14
+author: Florian Roth
 references:
    - http://rubular.com/r/zxBfjWfFYs
 logsource:
@@ -1,5 +1,7 @@
 title: Multiple Failed Logins with Different Accounts from Single Source System
 id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
+author: Florian Roth
+date: 2017/02/16
 description: Detects suspicious failed logins with different user accounts from a single source system
 logsource:
    product: linux
@@ -31,4 +31,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-
@@ -2,6 +2,7 @@ title: Network Scans
 id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
+date: 2017/02/19
 logsource:
    category: firewall
 detection:
@@ -2,6 +2,7 @@ title: Apache Segmentation Fault
 id: 1da8ce0b-855d-4004-8860-7d64d42063b1
 description: Detects a segmentation fault error message caused by a creashing apacke worker process
 author: Florian Roth
+date: 2017/02/28
 references:
    - http://www.securityfocus.com/infocus/1633
 logsource:
@@ -13,4 +14,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-
@@ -2,6 +2,7 @@ title: Multiple suspicious Response Codes caused by Single Client
 id: 6fdfc796-06b3-46e8-af08-58f3505318af
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
+date: 2017/02/19
 logsource:
    category: webserver
 detection:
@@ -4,6 +4,7 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol
 references:
    - https://www.exploit-db.com/exploits/47297
 author: Florian Roth
+date: 2019/11/18
 logsource:
    category: webserver
 detection:
@@ -17,4 +18,4 @@ fields:
    - response
 falsepositives:
    - Unknown
-level: critical
+level: critical
@@ -2,6 +2,7 @@ title: Source Code Enumeration Detection by Keyword
 id: 953d460b-f810-420a-97a2-cfca4c98e602
 description: Detects source code enumeration that use GET requests by keyword searches in URL strings
 author: James Ahearn
+date: 2019/06/08
 references:
    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
@@ -18,4 +19,4 @@ fields:
    - response
 falsepositives:
    - unknown
-level: medium
+level: medium
@@ -2,6 +2,7 @@ title: Webshell Detection by Keyword
 id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
 description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
+date: 2017/02/19
 logsource:
    category: webserver
 detection:
@@ -19,4 +20,3 @@ falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
 level: high
-