security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

94 Commits

Author SHA1 Message Date
frack113 a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Nate Guagenti 0bee1b006f fix - add date 2021-05-08 21:37:25 -04:00
Nate Guagenti 4152199073 add netbios port exclusion 
netbios - every defenders nightmare and reality of FPs
 2021-05-04 18:27:05 -04:00
Nate Guagenti d4bd69dd77 Suspicious DNS Z Flag Set 
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
  - 'https://twitter.com/neu5ron/status/1346245602502443009'
  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 2021-05-04 18:13:08 -04:00
Florian Roth 4abebd98d9 Merge pull request #1418 from SigmaHQ/rule-devel 
Fixing false positives with newest OSCD rules
 2021-04-09 17:26:02 +02:00
Thomas Patzke 3fef2a10b8 Merge branch 'pr-1158' 2021-04-08 23:01:54 +02:00
Thomas Patzke a10db2df89 Fixes&improvements 2021-04-08 01:06:40 +02:00
Florian Roth 00f01ea57f Merge branch 'master' into rule-devel 2021-04-07 21:17:51 +02:00
Florian Roth 6b0f66e876 refactor: change level 2021-03-24 12:38:00 +01:00
Florian Roth 6d9fc65585 fix: FPs with www6 2021-03-24 12:37:35 +01:00
Florian Roth a465f2722f refactor: CobaltStrike beacon rule 2021-03-24 11:29:05 +01:00
Anton Kutepov 3f45269296 Merge branch 'oscd' 
B
B
B
B
A
 2021-03-02 22:58:41 +03:00
Florian Roth 5197f21ed1 fix: duplicate ID 2020-12-13 18:59:04 +01:00
yugoslavskiy e97c4b0ac5 Update zeek_smb_converted_win_susp_psexec.yml 2020-11-28 19:05:22 +01:00
yugoslavskiy 68a62a5428 Update zeek_smb_converted_win_impacket_secretdump.yml 2020-11-28 19:02:53 +01:00
Jonhnathan 05e0dd1ae6 Update zeek_susp_kerberos_rc4.yml 2020-10-15 23:15:23 -03:00
Jonhnathan f04394467b Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml 2020-10-15 23:14:34 -03:00
Jonhnathan de29d778a5 Update zeek_smb_converted_win_susp_psexec.yml 2020-10-15 23:14:15 -03:00
Jonhnathan 3e600dab82 Update zeek_smb_converted_win_impacket_secretdump.yml 2020-10-15 23:13:47 -03:00
Jonhnathan 50abab7f11 Update zeek_http_executable_download_from_webdav.yml 2020-10-15 23:13:20 -03:00
Jonhnathan aeb3218dfb Update net_susp_dns_txt_exec_strings.yml 2020-10-15 23:11:16 -03:00
Jonhnathan 4b8a47e35f Update net_susp_dns_b64_queries.yml 2020-10-15 23:10:57 -03:00
Jonhnathan 28cfda7676 Update net_mal_dns_cobaltstrike.yml 2020-10-15 23:10:42 -03:00
Roberto Rodriguez 2cb540f95e 13 Rules from THP - Backlog Rules (old) 2020-10-13 03:33:55 -04:00
cyb3rward0g 55d6bd8089 Update - Adding description to zeek exfiltration compressed files 2020-10-12 23:32:10 -04:00
cyb3rward0g 189e3c2605 update - GitHub Action / Test Sigma 2020-10-12 22:43:36 -04:00
cyb3rward0g 644f222079 update - GitHub Action / Test Sigma 2020-10-12 21:58:02 -04:00
cyb3rward0g 491049b92a Updated - GitHub Action / Test Sigma 2020-10-12 21:34:07 -04:00
cyb3rward0g 21f41eaad9 16 rules from DH APT29 day 1 - contributing soon 2020-10-12 18:13:13 -04:00
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Mike Wade f76f80db80 Killswitch domain 2020-09-16 20:32:31 -06:00
Mike Wade 1ddba05eb2 Second round 2020-09-15 07:02:30 -06:00
Alexey Lednyov 1eb675f693 att&ck tags review: web, network/zeek 2020-09-03 17:06:37 +03:00
Yugoslavskiy Daniil 71fec94417 review network/cisco/aaa 2020-09-03 00:34:41 +02:00
Alexey Lednyov 880b10cce1 att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00
Josh Brower 4c4b8db7cf Zeek RDP rule 2020-08-23 13:16:42 -04:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Florian Roth 58b68758b4 fix: wrong MITRE ATT&CK ids used in the beta version 2020-07-14 17:53:32 +02:00
Florian Roth 781667ef22 fix: zeek rule references isn't a list 2020-07-14 00:33:47 +02:00
Florian Roth c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
neu5ron 7c3dea22b8 small T, big T 2020-05-19 05:13:48 -04:00
neu5ron 602c8917ef domain user enumeration via zeek rpc (dce_rpc) log. 2020-05-19 05:08:26 -04:00
neu5ron 858ebcd3d3 author typo update 2020-05-19 04:35:47 -04:00
neu5ron 2fc8d513d6 zeek, swap path and name 2020-05-19 04:35:30 -04:00
neu5ron a01a85cf9b CI/CD check fixes (missing ID's) 2020-05-04 15:22:18 -04:00
neu5ron a61b1da47a fixed yaml space causing condition to not be found 2020-05-04 15:17:43 -04:00
neu5ron d300027848 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add rules for Zeek. This includes Windows Event Channel Security EventID:5145 that have same fields as Zeek SMB
Also, converted some of (MITRE ATT&CK BZAR)[https://github.com/mitre-attack/bzar] which are Zeek (sensor) scripts.
 2020-05-02 07:27:51 -04:00
neu5ron c66540c029 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
create `zeek` folder to store Zeek rules
 2020-05-02 07:25:21 -04:00
Florian Roth 35e43db7a7 fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00