security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,303 Commits 1 Branch 57 Tags
87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41
Commit Graph

169 Commits

Author SHA1 Message Date
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 83dee26262 Update net_pua_cryptocoin_mining_xmr.yml 2021-11-20 19:20:07 +01:00
V1D1AN d4976b015c add tag mitre attack.t1496 and attack.t1567 2021-11-20 16:34:41 +01:00
V1D1AN c190668166 add tag mitre t1041 for equation group c2 2021-11-20 16:23:27 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 5f87eba896 restore src_ip for coverage 2021-11-14 10:11:29 +01:00
frack113 9d0be2348d Fix field name 2021-11-14 09:26:00 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
Florian Roth 4e2e75cd2f Merge branch 'master' into pr/2231 2021-11-11 18:09:23 +01:00
Florian Roth c07a9adb9b fix: moved rule written for DNS/Sysmon to the correct folder 2021-11-09 17:30:15 +01:00
Florian Roth 39283c0ac2 CobaltStrike DNS rules 2021-11-09 17:29:43 +01:00
Nate Guagenti 8291aba4d3 remove duplicate exclusion 
exclude_tlds was listed twice
 2021-11-06 15:45:34 -04:00
frack113 193357cf17 Add cve tags 2021-10-25 18:51:40 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
Florian Roth d051e1418b docs: changed title 2021-10-24 15:47:14 +02:00
Florian Roth 7eeecf9c6a fix: missing upper tick in every line 2021-10-24 15:46:31 +02:00
Florian Roth 86e9f782cb rule: monero mining pools dns lookup 2021-10-24 15:44:44 +02:00
frack113 c59b0eb543 Merge pull request #2063 from frack113/last_global 
Split Last Global Rules
 2021-09-23 13:54:57 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
frack113 e377e4e96f split global net_high_dns_bytes_out.yml 2021-09-21 19:53:25 +02:00
frack113 6777ca7a82 split global net_high_dns_requests_rate.yml 2021-09-21 19:51:11 +02:00
frack113 00f3055035 split global net_susp_network_scan.yml 2021-09-21 19:47:28 +02:00
neu5ron 61c9c9fb20 Zeek detection for OMIGOD HTTP RCE 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-09-20 12:26:01 -04:00
frack113 92999468ee Merge pull request #2012 from frack113/upgrade_test 
Upgrade test_rules.py
 2021-09-11 15:29:19 +02:00
frack113 8d3a77d1f5 Update net_susp_ipify.yml 2021-09-11 08:31:24 +02:00
neonprimetime security (Justin C Miller) 033494c8f7 Propose making rule more generic than just ipify 
Propose making this detection more generic, cover more lookup services than just ipify
https://twitter.com/neonprimetime/status/1436376497980428318
 2021-09-10 12:14:43 -05:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 086a15fc45 Update global ID 2021-09-02 20:07:03 +02:00
frack113 5ad29cf0c2 fix Base backend doesn't support multiple conditions (29) 2021-08-29 09:03:50 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 679651bdf9 Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install 
Zeek DCE_RPC PrintNightmare
 2021-08-24 08:37:02 +02:00
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Nate Guagenti 064d7b7b9f improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00