security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

161 Commits

Author SHA1 Message Date
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 83dee26262 Update net_pua_cryptocoin_mining_xmr.yml 2021-11-20 19:20:07 +01:00
V1D1AN d4976b015c add tag mitre attack.t1496 and attack.t1567 2021-11-20 16:34:41 +01:00
V1D1AN c190668166 add tag mitre t1041 for equation group c2 2021-11-20 16:23:27 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 5f87eba896 restore src_ip for coverage 2021-11-14 10:11:29 +01:00
frack113 9d0be2348d Fix field name 2021-11-14 09:26:00 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
Florian Roth 4e2e75cd2f Merge branch 'master' into pr/2231 2021-11-11 18:09:23 +01:00
Florian Roth c07a9adb9b fix: moved rule written for DNS/Sysmon to the correct folder 2021-11-09 17:30:15 +01:00
Florian Roth 39283c0ac2 CobaltStrike DNS rules 2021-11-09 17:29:43 +01:00
Nate Guagenti 8291aba4d3 remove duplicate exclusion 
exclude_tlds was listed twice
 2021-11-06 15:45:34 -04:00
frack113 193357cf17 Add cve tags 2021-10-25 18:51:40 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
Florian Roth d051e1418b docs: changed title 2021-10-24 15:47:14 +02:00
Florian Roth 7eeecf9c6a fix: missing upper tick in every line 2021-10-24 15:46:31 +02:00
Florian Roth 86e9f782cb rule: monero mining pools dns lookup 2021-10-24 15:44:44 +02:00
frack113 c59b0eb543 Merge pull request #2063 from frack113/last_global 
Split Last Global Rules
 2021-09-23 13:54:57 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
frack113 e377e4e96f split global net_high_dns_bytes_out.yml 2021-09-21 19:53:25 +02:00
frack113 6777ca7a82 split global net_high_dns_requests_rate.yml 2021-09-21 19:51:11 +02:00
frack113 00f3055035 split global net_susp_network_scan.yml 2021-09-21 19:47:28 +02:00
neu5ron 61c9c9fb20 Zeek detection for OMIGOD HTTP RCE 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-09-20 12:26:01 -04:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113 8d3a77d1f5 Update net_susp_ipify.yml 2021-09-11 08:31:24 +02:00
neonprimetime security (Justin C Miller) 033494c8f7 Propose making rule more generic than just ipify 
Propose making this detection more generic, cover more lookup services than just ipify
https://twitter.com/neonprimetime/status/1436376497980428318
 2021-09-10 12:14:43 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 086a15fc45 Update global ID 2021-09-02 20:07:03 +02:00
frack113 5ad29cf0c2 fix Base backend doesn't support multiple conditions (29) 2021-08-29 09:03:50 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 679651bdf9 Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install 
Zeek DCE_RPC PrintNightmare
 2021-08-24 08:37:02 +02:00
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Nate Guagenti 064d7b7b9f improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00
Nate Guagenti cfc32e5950 correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
Nate Guagenti 1819e4b02b improve rule 
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
 2021-08-23 14:12:50 -04:00
Nate Guagenti feb7d0e187 Update zeek_dns_mining_pools.yml 2021-08-23 14:11:04 -04:00
Nate Guagenti b00e1772b3 added logic and usage 
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
 2021-08-23 14:03:38 -04:00
frack113 9d3a13b13e cleanup 2021-08-23 19:04:01 +02:00
Nate Guagenti 4f8bd4a5a2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
try new uuid to pass check...
 2021-08-23 11:24:22 -04:00
Nate Guagenti 6aea58b4d2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:18:51 -04:00
Nate Guagenti 78c667fda1 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
shorten title
 2021-08-23 11:15:30 -04:00