security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,235 Commits 1 Branch 57 Tags
bcce3a85aa43a936412fd32ffdfd41ea71ce1e02
Commit Graph

218 Commits

Author SHA1 Message Date
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali d6b6984567 fix: add encoded @ symbol 
Co-authored-by: Florian Roth <venom14@gmail.com>
 2022-12-22 14:53:34 +01:00
Nasreddine Bencherchali 74f198460e fix: add good ua as filter 2022-12-22 14:50:30 +01:00
Nasreddine Bencherchali 62a828e184 feat: more updates 2022-12-22 14:45:53 +01:00
Nasreddine Bencherchali 7ed105bccb fix: add response code 2022-12-22 14:36:32 +01:00
Nasreddine Bencherchali 8fd9181392 fix: typo in selection 2022-12-22 14:35:22 +01:00
Nasreddine Bencherchali cc3dce61d7 fix: apply suggestions from code review 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-22 14:25:50 +01:00
Nasreddine Bencherchali 3b54d8de79 fix: metadata 2022-12-22 12:20:18 +01:00
Nasreddine Bencherchali f79c09c1ff fix: duplicate id 2022-12-22 12:14:55 +01:00
Nasreddine Bencherchali e61795a1ea feat: proxynotshell owa variant rules 2022-12-22 12:10:29 +01:00
Nasreddine Bencherchali 92965e6f7e fix: fix broken description 2022-11-29 23:43:03 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
Florian Roth 493144a3b3 Racoon stealer UAs 2022-10-31 15:55:28 +01:00
frack113 5498621bbc Order yaml field 2022-10-25 10:08:58 +02:00
phantinuss e52e5ebf03 add new malicious user agent strings 2022-10-21 17:29:34 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
Florian Roth 458428bf5f Update proxy_ua_rclone.yml 2022-10-18 10:15:33 +02:00
BlueTeamOps f34c32882a proxy_ua_rclone.yml 
Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365.
 2022-10-18 17:32:38 +11:00
Florian Roth 5da911eb84 Merge branch 'master' into rule-devel 2022-10-10 14:35:37 +02:00
Florian Roth 5cbd355d95 ZINC / Lazarus UAs 2022-10-10 12:23:09 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Florian Roth d8ff3339aa antSword webshell 2022-09-29 13:31:16 +02:00
Florian Roth 69308b035a rule: havana ransomware UA 2022-09-05 16:50:26 +02:00
Tomasuh b5d5a648b5 proxy_ua_bitsadmin_susp_ip.yml falsepositive fix 
Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com
 2022-08-24 08:19:51 +02:00
Florian Roth 5c27980bc6 Merge pull request #3403 from SigmaHQ/rule-devel 
rule: SharpUp, HandleKatz
 2022-08-20 09:29:55 +02:00
frack113 93da19a708 Merge pull request #3390 from Tomasuh/proxy-dev 
Rule for Advanced IP/Port Scanner update check
 2022-08-20 08:35:52 +02:00
Florian Roth 207b6a3ae6 Update proxy_adv_ip_port_scanner_upd_check.yml 2022-08-19 09:10:32 +02:00
Florian Roth 2c0b9c11be Quasar RAT UA 2022-08-18 13:02:11 +02:00
Axel Olsson 47ecbe65a2 Rename file to start with proxy_ to follow standard 2022-08-18 09:36:23 +02:00
Tomasuh 8c339653c7 Feedback implemented 2022-08-18 09:34:53 +02:00
Florian Roth b115f6ea1e Racoon Stealer UA 2022-08-17 14:40:36 +02:00
Tomasuh 65c2659769 Correcting date 2022-08-17 12:47:54 +02:00
Tomasuh 6b32472d58 Correcting date format and MITRE fix 
Removed attack.T1046 from tags.
 2022-08-17 12:47:38 +02:00
Tomasuh 350bf80d93 Rule for Advanced IP/Port Scanner update check 
Rule for Advanced IP/Port Scanner update check

- http://www.advanced-port-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps 
- http://www.advanced-ip-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
 2022-08-17 11:24:00 +02:00
Tomasuh 2964506834 proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00
frack113 80632dc4d0 Update proxy_ios_implant.yml 2022-08-15 17:33:39 +02:00
frack113 91dbc5e721 Update proxy_ursnif_malware_download_url.yml 2022-08-15 17:33:17 +02:00
frack113 9d914ac240 Update proxy_cobalt_onedrive.yml 2022-08-15 17:33:00 +02:00
frack113 2ea7fc0c51 Update proxy_turla_comrat.yml 2022-08-15 17:32:34 +02:00
frack113 f50de1d4e1 Update proxy_chafer_malware.yml 2022-08-15 17:32:20 +02:00
frack113 29901228fd Update proxy_baby_shark.yml 2022-08-15 17:32:07 +02:00
Tomasuh 2bcb6abd72 Escape ? character 2022-08-12 12:46:21 +02:00
Tomasuh 5c549a2825 Escape ? character 2022-08-12 12:45:52 +02:00
Tomasuh 08d25bd065 Escape ? character 2022-08-12 12:44:53 +02:00
Tomasuh b189122287 Escape ? character 2022-08-12 12:44:23 +02:00
Tomasuh 75b9b7b1a9 Escape ? character 2022-08-12 12:43:58 +02:00
Tomasuh 4ccb8d9ca0 Escape question mark 2022-08-12 12:38:07 +02:00
Tomasuh 7f86fcf89d Update to use cs-host instead of r-dns 2022-08-11 08:36:23 +02:00
Tomasuh 61c2e6b532 Update proxy_susp_flash_download_loc.yml 2022-08-11 08:33:07 +02:00
Tomasuh a15044bc1c Avoid Adobe related false-positives 
Avoid Adobe related false-positives such as Adobe Synchronizer
 2022-08-08 14:03:34 +02:00