8ab90d8012
add modified
2021-08-24 07:59:36 +02:00
be43ecd70d
Remove empty element in list
...
Otherwise get a `null` when convert to some backend (es-rule,...)
2021-08-24 07:57:16 +02:00
9e588fdcf6
Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups.
2021-08-24 00:58:36 -04:00
b255586117
condition fix and add fields
...
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
2021-08-23 14:59:06 -04:00
064d7b7b9f
improve rule logic zeek_default_cobalt_strike_certificate.yml
...
zeek logging for `certificate.serial` is all letters are capitalized
2021-08-23 14:23:41 -04:00
cfc32e5950
correct fields for zeek_rdp_public_listener.yml
...
correct zeek fields for `fields` section.
improve false positives information
2021-08-23 14:16:55 -04:00
1819e4b02b
improve rule
...
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
2021-08-23 14:12:50 -04:00
feb7d0e187
Update zeek_dns_mining_pools.yml
2021-08-23 14:11:04 -04:00
b00e1772b3
added logic and usage
...
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
2021-08-23 14:03:38 -04:00
9d3a13b13e
cleanup
2021-08-23 19:04:01 +02:00
4f8bd4a5a2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
...
try new uuid to pass check...
2021-08-23 11:24:22 -04:00
6aea58b4d2
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
2021-08-23 11:18:51 -04:00
78c667fda1
Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
...
shorten title
2021-08-23 11:15:30 -04:00
96e77eb8db
Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
2021-08-23 11:06:44 -04:00
295054dcbe
Replace old mitre techniques by new one
2021-08-22 13:57:56 +02:00
07a87aa7f8
Merge pull request #1858 from frack113/fix_pr718
...
Replace pr718
2021-08-21 18:02:30 +02:00
3283664154
Update remove useless rules
2021-08-19 18:28:44 +02:00
f1a84536c3
update fix
2021-08-19 17:55:41 +02:00
c9128687ee
Spelling Errors on Rules
2021-08-18 18:58:20 +00:00
c3457c9911
fix titles
2021-08-15 19:05:00 +02:00
245cb6d510
fix more errors
2021-08-15 18:55:44 +02:00
12396f615c
remove duplicate rule and fix errors
2021-08-15 16:52:24 +02:00
a75859a976
First commit
2021-08-15 16:00:14 +02:00
db0de126a5
test author for Detection Rule License 1.1
2021-08-14 19:16:36 +02:00
fc64b8b937
Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00
6d41d538b2
Title fixed
2021-07-11 09:25:33 +02:00
8e010ec60c
Added rule
...
From https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
which weren't already covered by other rules and can be expressed
in Sigma.
2021-07-08 07:59:40 +02:00
685bd490f5
Merge pull request #1573 from d4rk-d4nph3/master
...
Added rule for default cobalt strike certificate
2021-06-25 12:16:31 +02:00
91cc97d099
Fixed the taxonomy
2021-06-24 21:07:52 +05:45
1ebbc6c1a3
Added rule for default cobalt strike certificate
2021-06-23 10:17:27 +05:45
a1bddf51e7
fix typo of falsepositives
2021-05-24 10:31:28 +02:00
0bee1b006f
fix - add date
2021-05-08 21:37:25 -04:00
4152199073
add netbios port exclusion
...
netbios - every defenders nightmare and reality of FPs
2021-05-04 18:27:05 -04:00
d4bd69dd77
Suspicious DNS Z Flag Set
...
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
references:
- 'https://twitter.com/neu5ron/status/1346245602502443009 '
- 'https://tools.ietf.org/html/rfc2929#section-2.1 '
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS '
2021-05-04 18:13:08 -04:00
4abebd98d9
Merge pull request #1418 from SigmaHQ/rule-devel
...
Fixing false positives with newest OSCD rules
2021-04-09 17:26:02 +02:00
3fef2a10b8
Merge branch 'pr-1158'
2021-04-08 23:01:54 +02:00
a10db2df89
Fixes&improvements
2021-04-08 01:06:40 +02:00
00f01ea57f
Merge branch 'master' into rule-devel
2021-04-07 21:17:51 +02:00
6b0f66e876
refactor: change level
2021-03-24 12:38:00 +01:00
6d9fc65585
fix: FPs with www6
2021-03-24 12:37:35 +01:00
a465f2722f
refactor: CobaltStrike beacon rule
2021-03-24 11:29:05 +01:00
3f45269296
Merge branch 'oscd'
...
B
B
B
B
A
2021-03-02 22:58:41 +03:00
5197f21ed1
fix: duplicate ID
2020-12-13 18:59:04 +01:00
e97c4b0ac5
Update zeek_smb_converted_win_susp_psexec.yml
2020-11-28 19:05:22 +01:00
68a62a5428
Update zeek_smb_converted_win_impacket_secretdump.yml
2020-11-28 19:02:53 +01:00
05e0dd1ae6
Update zeek_susp_kerberos_rc4.yml
2020-10-15 23:15:23 -03:00
f04394467b
Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
2020-10-15 23:14:34 -03:00
de29d778a5
Update zeek_smb_converted_win_susp_psexec.yml
2020-10-15 23:14:15 -03:00
3e600dab82
Update zeek_smb_converted_win_impacket_secretdump.yml
2020-10-15 23:13:47 -03:00
50abab7f11
Update zeek_http_executable_download_from_webdav.yml
2020-10-15 23:13:20 -03:00
frack113