security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,432 Commits 1 Branch 57 Tags
be43ecd70db63098b7209f2e596ef68c4978ca74
Commit Graph

119 Commits

Author SHA1 Message Date
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Nate Guagenti cfc32e5950 correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
frack113 9d3a13b13e cleanup 2021-08-23 19:04:01 +02:00
Nate Guagenti 4f8bd4a5a2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
try new uuid to pass check...
 2021-08-23 11:24:22 -04:00
Nate Guagenti 6aea58b4d2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:18:51 -04:00
Nate Guagenti 78c667fda1 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
shorten title
 2021-08-23 11:15:30 -04:00
Nate Guagenti 96e77eb8db Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:06:44 -04:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
frack113 07a87aa7f8 Merge pull request #1858 from frack113/fix_pr718 
Replace pr718
 2021-08-21 18:02:30 +02:00
frack113 3283664154 Update remove useless rules 2021-08-19 18:28:44 +02:00
frack113 f1a84536c3 update fix 2021-08-19 17:55:41 +02:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
frack113 c3457c9911 fix titles 2021-08-15 19:05:00 +02:00
frack113 245cb6d510 fix more errors 2021-08-15 18:55:44 +02:00
frack113 12396f615c remove duplicate rule and fix errors 2021-08-15 16:52:24 +02:00
frack113 a75859a976 First commit 2021-08-15 16:00:14 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113 fc64b8b937 Split PR 1802 fix net rules 2021-08-09 17:23:15 +02:00
Thomas Patzke 6d41d538b2 Title fixed 2021-07-11 09:25:33 +02:00
Thomas Patzke 8e010ec60c Added rule 
From https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
which weren't already covered by other rules and can be expressed
in Sigma.
 2021-07-08 07:59:40 +02:00
Florian Roth 685bd490f5 Merge pull request #1573 from d4rk-d4nph3/master 
Added rule for default cobalt strike certificate
 2021-06-25 12:16:31 +02:00
Bhabesh Rai 91cc97d099 Fixed the taxonomy 2021-06-24 21:07:52 +05:45
Bhabesh Rai 1ebbc6c1a3 Added rule for default cobalt strike certificate 2021-06-23 10:17:27 +05:45
frack113 a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Nate Guagenti 0bee1b006f fix - add date 2021-05-08 21:37:25 -04:00
Nate Guagenti 4152199073 add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti d4bd69dd77 Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
Florian Roth 4abebd98d9 Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Florian Roth 00f01ea57f Merge branch 'master' into rule-devel 2021-04-07 21:17:51 +02:00
Florian Roth 6b0f66e876 refactor: change level 2021-03-24 12:38:00 +01:00
Florian Roth 6d9fc65585 fix: FPs with www6 2021-03-24 12:37:35 +01:00
Florian Roth a465f2722f refactor: CobaltStrike beacon rule 2021-03-24 11:29:05 +01:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth 5197f21ed1 fix: duplicate ID 2020-12-13 18:59:04 +01:00
yugoslavskiy e97c4b0ac5 Update zeek_smb_converted_win_susp_psexec.yml 2020-11-28 19:05:22 +01:00
yugoslavskiy 68a62a5428 Update zeek_smb_converted_win_impacket_secretdump.yml 2020-11-28 19:02:53 +01:00
Jonhnathan 05e0dd1ae6 Update zeek_susp_kerberos_rc4.yml 2020-10-15 23:15:23 -03:00
Jonhnathan f04394467b Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml 2020-10-15 23:14:34 -03:00
Jonhnathan de29d778a5 Update zeek_smb_converted_win_susp_psexec.yml 2020-10-15 23:14:15 -03:00
Jonhnathan 3e600dab82 Update zeek_smb_converted_win_impacket_secretdump.yml 2020-10-15 23:13:47 -03:00
Jonhnathan 50abab7f11 Update zeek_http_executable_download_from_webdav.yml 2020-10-15 23:13:20 -03:00
Jonhnathan aeb3218dfb Update net_susp_dns_txt_exec_strings.yml 2020-10-15 23:11:16 -03:00
Jonhnathan 4b8a47e35f Update net_susp_dns_b64_queries.yml 2020-10-15 23:10:57 -03:00
Jonhnathan 28cfda7676 Update net_mal_dns_cobaltstrike.yml 2020-10-15 23:10:42 -03:00
Roberto Rodriguez 2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
cyb3rward0g 55d6bd8089 Update - Adding description to zeek exfiltration compressed files 2020-10-12 23:32:10 -04:00