security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

150 Commits

Author SHA1 Message Date
Florian Roth 27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Tareq AlKhatib 7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Florian Roth a7fa20546a Rule: proxy user agents updated with MacControl user agent 2018-12-17 14:18:03 +01:00
Thomas Patzke a1940c6eaa Simplified rule 2018-11-21 22:34:04 +01:00
Florian Roth 3c3b14a26b rule: new malware UA 2018-10-10 15:27:58 +02:00
Florian Roth 54678fcb36 Rule: CertUtil UA 
https://twitter.com/ItsReallyNick/status/1047151134501216258
 2018-10-06 16:47:37 +02:00
Thomas Patzke 81515b530c ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
Florian Roth 5d714ab44e Rule: Added malware UA 2018-09-08 10:22:26 +02:00
Unknown 863736587c Adding ATTCK 2018-09-08 09:34:27 +02:00
Unknown d866097c07 CobaltStrike Malleable Amazon browsing traffic profile 2018-09-07 19:52:35 +02:00
Unknown cf48a77d5a Adding CMStar user-agent "O/9.27 (W; U; Z)" 2018-09-07 09:07:24 +02:00
Florian Roth ec1bd77f2e Rule: Proxy UA rule update - from Kaspersky report 
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
 2018-09-05 20:39:19 +02:00
Florian Roth 1c87f77223 Rule: Fixed false positive in suspicious UA rule 2018-09-04 11:33:05 +02:00
Florian Roth 7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Florian Roth 48582a1c93 Bugfix in Flash Downloader Rule 2018-06-30 23:39:38 +02:00
Florian Roth b05856eae1 Rule: Update suspicious TLD downloads 2018-06-13 00:08:46 +02:00
Florian Roth f6f718c54f Cosmetics 2018-06-10 10:28:59 +02:00
yt0ng 3166bf5b05 Update proxy_ua_apt.yml 
user Agent seen in https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
 2018-06-10 10:17:02 +02:00
Florian Roth bd61f223ee Sofacy Zebrocy samples 2018-06-06 23:24:18 +02:00
Florian Roth 667b3b4935 Rule: Added 2 more Sofacy User-Agents 2018-06-06 22:38:50 +02:00
Florian Roth 9640806678 Rules: Telegram Bot API access 2018-06-05 16:25:43 +02:00
Florian Roth 51c6d0a767 Rule: Proxy User-Agent VPNFilter 2018-05-24 00:34:07 +02:00
Matthew Green 16365b7793 Update_WebDAV 
Made the name a bit generic as WebDAV can be used by several download cradles.
Added in HttpMethod as a select as GET requests makes for a great filter point with much less false positives.
 2018-05-16 13:05:15 +10:00
Florian Roth ae6df590a9 Delphi downloader https://goo.gl/rMVUSM 2018-04-24 23:23:21 +02:00
Florian Roth 8ddd40e18e PowerShell Cradle - WebDAV UA 2018-04-09 08:37:30 +02:00
Florian Roth 6eb8cdfeab TSCookie UA 2018-04-09 08:37:30 +02:00
Florian Roth 6e0cc193c7 Rule: Pony / Fareit UA 2018-03-01 09:28:04 +01:00
Florian Roth 058d719e2b Rule update: Proxy UA > Loki Bot 2018-02-12 10:08:32 +01:00
Florian Roth 1382edb5e3 Cosmetics 2018-02-09 10:13:39 +01:00
Florian Roth 34e0352a21 Rule: Proxy UAs - malware - Ghost419 
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
 2018-02-03 14:47:04 +01:00
SherifEldeeb 348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb 48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb 112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth fd801a61a5 Bronze Butler Daserf malware User Agents in Proxy Logs 2017-11-08 12:52:11 +01:00
Florian Roth e5383be163 Rule: Proxy suspicious downloads from Dyndns hosts 2017-11-08 11:32:30 +01:00
Florian Roth 4540088aa9 Rule: Extended proxy suspicious TLD white list rule 2017-11-08 00:38:26 +01:00
Florian Roth acc430c4b6 Rule: Proxy download from blacklisted TLDs 2017-11-07 14:03:16 +01:00
Florian Roth 58f20d3cfb Rule: Proxy download whitelist bugfix and improvements 2017-11-07 14:02:56 +01:00
Florian Roth e680da1b50 Suspicious flash player download location / BadRabbit 2017-10-25 08:40:30 +02:00
Florian Roth f4720d5149 APT17 malware UA 
https://twitter.com/cyb3rops/status/915135877709549568
 2017-10-03 12:47:53 +02:00
Thomas Patzke 986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke 5c465129bd Fixed rules 
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
 2017-09-11 00:35:52 +02:00
Florian Roth 433293ea40 'ruler' User Agent 
https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
 2017-07-22 09:24:45 -06:00
Florian Roth 4bff14acd1 User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Florian Roth eeb31964da User-Agent Rules 2017-07-08 08:37:44 -06:00
Florian Roth cf42847b74 Suspicious User Agent strings 2017-07-07 20:53:22 -06:00
Florian Roth cec48ece04 Suspicious User-Agent Strings, starting with empty value 2017-07-07 18:38:32 -06:00
Florian Roth a87d513efa Rule: Suspicious executable downloads 2017-03-13 16:11:43 +01:00
Florian Roth b8db4935e0 Rule: PowerShell UserAgent in Proxy Logs 2017-03-13 13:51:32 +01:00