security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,399 Commits 1 Branch 57 Tags
f3171177d81436b00a693a2425d9f799df43ecaa
Commit Graph

223 Commits

Author SHA1 Message Date
TheLawsOfChaos 52e40d10ef feat: updates multiple mitre tech/sub-tech/tactics (#3913) 2023-01-12 17:04:38 +01:00
Nasreddine Bencherchali 10c81f1ed0 fix: change to uppercase 2023-01-09 22:32:22 +01:00
Nasreddine Bencherchali 8563b4265a fix: duplicate title + add related field 2023-01-09 21:13:04 +01:00
TheLawsOfChaos 3415cfb658 Update proxy_download_susp_tlds_whitelist.yml 
Per @nasbench I have made the following updates
- Modified date : 
- Description : still applies, the files themselves are executable either by themselves or by other processes.
- Capital letters : I actually didn't touch that, but just capitalized the F in from from whoever modified it before!
 2023-01-09 15:03:31 -05:00
TheLawsOfChaos 0df15d18b0 Update proxy_download_susp_tlds_whitelist.yml 
This rule checks for more than just EXE downloads so changed the title. The description is fine. New title matches the blacklist version, and if it's desired to have both have a different titles, I recommend putting 'inclusion' and 'exclusion'.
 2023-01-09 10:52:03 -05:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali d6b6984567 fix: add encoded @ symbol 
Co-authored-by: Florian Roth <venom14@gmail.com>
 2022-12-22 14:53:34 +01:00
Nasreddine Bencherchali 74f198460e fix: add good ua as filter 2022-12-22 14:50:30 +01:00
Nasreddine Bencherchali 62a828e184 feat: more updates 2022-12-22 14:45:53 +01:00
Nasreddine Bencherchali 7ed105bccb fix: add response code 2022-12-22 14:36:32 +01:00
Nasreddine Bencherchali 8fd9181392 fix: typo in selection 2022-12-22 14:35:22 +01:00
Nasreddine Bencherchali cc3dce61d7 fix: apply suggestions from code review 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-22 14:25:50 +01:00
Nasreddine Bencherchali 3b54d8de79 fix: metadata 2022-12-22 12:20:18 +01:00
Nasreddine Bencherchali f79c09c1ff fix: duplicate id 2022-12-22 12:14:55 +01:00
Nasreddine Bencherchali e61795a1ea feat: proxynotshell owa variant rules 2022-12-22 12:10:29 +01:00
Nasreddine Bencherchali 92965e6f7e fix: fix broken description 2022-11-29 23:43:03 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
Florian Roth 493144a3b3 Racoon stealer UAs 2022-10-31 15:55:28 +01:00
frack113 5498621bbc Order yaml field 2022-10-25 10:08:58 +02:00
phantinuss e52e5ebf03 add new malicious user agent strings 2022-10-21 17:29:34 +02:00
Florian Roth eada6ed589 Update proxy_ua_rclone.yml 2022-10-18 17:21:54 +02:00
Florian Roth 458428bf5f Update proxy_ua_rclone.yml 2022-10-18 10:15:33 +02:00
BlueTeamOps f34c32882a proxy_ua_rclone.yml 
Adding this rule after reading https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone. It is more relevant to O365 but it may help via proxy too if this off O365.
 2022-10-18 17:32:38 +11:00
Florian Roth 5da911eb84 Merge branch 'master' into rule-devel 2022-10-10 14:35:37 +02:00
Florian Roth 5cbd355d95 ZINC / Lazarus UAs 2022-10-10 12:23:09 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Florian Roth d8ff3339aa antSword webshell 2022-09-29 13:31:16 +02:00
Florian Roth 69308b035a rule: havana ransomware UA 2022-09-05 16:50:26 +02:00
Tomasuh b5d5a648b5 proxy_ua_bitsadmin_susp_ip.yml falsepositive fix 
Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com
 2022-08-24 08:19:51 +02:00
Florian Roth 5c27980bc6 Merge pull request #3403 from SigmaHQ/rule-devel 
rule: SharpUp, HandleKatz
 2022-08-20 09:29:55 +02:00
frack113 93da19a708 Merge pull request #3390 from Tomasuh/proxy-dev 
Rule for Advanced IP/Port Scanner update check
 2022-08-20 08:35:52 +02:00
Florian Roth 207b6a3ae6 Update proxy_adv_ip_port_scanner_upd_check.yml 2022-08-19 09:10:32 +02:00
Florian Roth 2c0b9c11be Quasar RAT UA 2022-08-18 13:02:11 +02:00
Axel Olsson 47ecbe65a2 Rename file to start with proxy_ to follow standard 2022-08-18 09:36:23 +02:00
Tomasuh 8c339653c7 Feedback implemented 2022-08-18 09:34:53 +02:00
Florian Roth b115f6ea1e Racoon Stealer UA 2022-08-17 14:40:36 +02:00
Tomasuh 65c2659769 Correcting date 2022-08-17 12:47:54 +02:00
Tomasuh 6b32472d58 Correcting date format and MITRE fix 
Removed attack.T1046 from tags.
 2022-08-17 12:47:38 +02:00
Tomasuh 350bf80d93 Rule for Advanced IP/Port Scanner update check 
Rule for Advanced IP/Port Scanner update check

- http://www.advanced-port-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps 
- http://www.advanced-ip-scanner[.]com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
 2022-08-17 11:24:00 +02:00
Tomasuh 2964506834 proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00
frack113 80632dc4d0 Update proxy_ios_implant.yml 2022-08-15 17:33:39 +02:00
frack113 91dbc5e721 Update proxy_ursnif_malware_download_url.yml 2022-08-15 17:33:17 +02:00
frack113 9d914ac240 Update proxy_cobalt_onedrive.yml 2022-08-15 17:33:00 +02:00
frack113 2ea7fc0c51 Update proxy_turla_comrat.yml 2022-08-15 17:32:34 +02:00
frack113 f50de1d4e1 Update proxy_chafer_malware.yml 2022-08-15 17:32:20 +02:00
frack113 29901228fd Update proxy_baby_shark.yml 2022-08-15 17:32:07 +02:00
Tomasuh 2bcb6abd72 Escape ? character 2022-08-12 12:46:21 +02:00
Tomasuh 5c549a2825 Escape ? character 2022-08-12 12:45:52 +02:00
Tomasuh 08d25bd065 Escape ? character 2022-08-12 12:44:53 +02:00
Tomasuh b189122287 Escape ? character 2022-08-12 12:44:23 +02:00