security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,536 Commits 1 Branch 57 Tags
a67ab607a18787f94a3de0f8e3379745fa0c1928
Commit Graph

206 Commits

Author SHA1 Message Date
Florian Roth 493144a3b3 Racoon stealer UAs 2022-10-31 15:55:28 +01:00
frack113 5498621bbc Order yaml field 2022-10-25 10:08:58 +02:00
phantinuss e52e5ebf03 add new malicious user agent strings 2022-10-21 17:29:34 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
Florian Roth 458428bf5f Update proxy_ua_rclone.yml 2022-10-18 10:15:33 +02:00
BlueTeamOps f34c32882a proxy_ua_rclone.yml 
Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365.
 2022-10-18 17:32:38 +11:00
Florian Roth 5da911eb84 Merge branch 'master' into rule-devel 2022-10-10 14:35:37 +02:00
Florian Roth 5cbd355d95 ZINC / Lazarus UAs 2022-10-10 12:23:09 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Florian Roth d8ff3339aa antSword webshell 2022-09-29 13:31:16 +02:00
Florian Roth 69308b035a rule: havana ransomware UA 2022-09-05 16:50:26 +02:00
Tomasuh b5d5a648b5 proxy_ua_bitsadmin_susp_ip.yml falsepositive fix 
Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com
 2022-08-24 08:19:51 +02:00
Florian Roth 5c27980bc6 Merge pull request #3403 from SigmaHQ/rule-devel 
rule: SharpUp, HandleKatz
 2022-08-20 09:29:55 +02:00
frack113 93da19a708 Merge pull request #3390 from Tomasuh/proxy-dev 
Rule for Advanced IP/Port Scanner update check
 2022-08-20 08:35:52 +02:00
Florian Roth 207b6a3ae6 Update proxy_adv_ip_port_scanner_upd_check.yml 2022-08-19 09:10:32 +02:00
Florian Roth 2c0b9c11be Quasar RAT UA 2022-08-18 13:02:11 +02:00
Axel Olsson 47ecbe65a2 Rename file to start with proxy_ to follow standard 2022-08-18 09:36:23 +02:00
Tomasuh 8c339653c7 Feedback implemented 2022-08-18 09:34:53 +02:00
Florian Roth b115f6ea1e Racoon Stealer UA 2022-08-17 14:40:36 +02:00
Tomasuh 65c2659769 Correcting date 2022-08-17 12:47:54 +02:00
Tomasuh 6b32472d58 Correcting date format and MITRE fix 
Removed attack.T1046 from tags.
 2022-08-17 12:47:38 +02:00
Tomasuh 350bf80d93 Rule for Advanced IP/Port Scanner update check 
Rule for Advanced IP/Port Scanner update check

- http://www.advanced-port-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps 
- http://www.advanced-ip-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
 2022-08-17 11:24:00 +02:00
Tomasuh 2964506834 proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00
frack113 80632dc4d0 Update proxy_ios_implant.yml 2022-08-15 17:33:39 +02:00
frack113 91dbc5e721 Update proxy_ursnif_malware_download_url.yml 2022-08-15 17:33:17 +02:00
frack113 9d914ac240 Update proxy_cobalt_onedrive.yml 2022-08-15 17:33:00 +02:00
frack113 2ea7fc0c51 Update proxy_turla_comrat.yml 2022-08-15 17:32:34 +02:00
frack113 f50de1d4e1 Update proxy_chafer_malware.yml 2022-08-15 17:32:20 +02:00
frack113 29901228fd Update proxy_baby_shark.yml 2022-08-15 17:32:07 +02:00
Tomasuh 2bcb6abd72 Escape ? character 2022-08-12 12:46:21 +02:00
Tomasuh 5c549a2825 Escape ? character 2022-08-12 12:45:52 +02:00
Tomasuh 08d25bd065 Escape ? character 2022-08-12 12:44:53 +02:00
Tomasuh b189122287 Escape ? character 2022-08-12 12:44:23 +02:00
Tomasuh 75b9b7b1a9 Escape ? character 2022-08-12 12:43:58 +02:00
Tomasuh 4ccb8d9ca0 Escape question mark 2022-08-12 12:38:07 +02:00
Tomasuh 7f86fcf89d Update to use cs-host instead of r-dns 2022-08-11 08:36:23 +02:00
Tomasuh 61c2e6b532 Update proxy_susp_flash_download_loc.yml 2022-08-11 08:33:07 +02:00
Tomasuh a15044bc1c Avoid Adobe related false-positives 
Avoid Adobe related false-positives such as Adobe Synchronizer
 2022-08-08 14:03:34 +02:00
Tomasuh 946b0205a2 Revert to correct rule id 2022-08-08 08:54:50 +02:00
Tomasuh 9f347bc322 Restore title from previous mistake edit 2022-08-08 08:53:38 +02:00
Tomasuh 9f8c4a4d44 Update proxy_susp_flash_download_loc.yml 2022-08-08 08:43:35 +02:00
Tomasuh 58c6068484 uri inst. of uri-query, r-dns inst of uri-stem 2022-08-08 08:41:41 +02:00
Tomasuh 8bd1108b01 From cs-uri-query to cs-uri to enable matching 
Rule should be applied on uri and not the uri-query
 2022-08-05 09:49:24 +02:00
Florian Roth b3dd9f51f0 some rule improvements 2022-07-21 18:16:22 +02:00
Florian Roth d15f3d738b Merge pull request #3207 from SigmaHQ/rule-devel 
fix: missing Windows Defender source, rule: Proxy UA Base64
 2022-07-08 11:14:00 +02:00
Florian Roth 9b47c868bc fix: list and add base64 encoded Mozilla keyword 2022-07-08 10:50:52 +02:00
Florian Roth 6fc782958a rule: Proxy UA Base64 value 2022-07-08 10:40:35 +02:00
Nasreddine Bencherchali 5b352ee34c Update proxy_cobalt_amazon.yml 2022-07-07 15:29:46 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00