security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,404 Commits 1 Branch 57 Tags
ffc87968cfac542689aee001fc2fd39deefe67f8
Commit Graph

81 Commits

Author SHA1 Message Date
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 5f87eba896 restore src_ip for coverage 2021-11-14 10:11:29 +01:00
frack113 9d0be2348d Fix field name 2021-11-14 09:26:00 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
Nate Guagenti 8291aba4d3 remove duplicate exclusion 
exclude_tlds was listed twice
 2021-11-06 15:45:34 -04:00
frack113 193357cf17 Add cve tags 2021-10-25 18:51:40 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
neu5ron 61c9c9fb20 Zeek detection for OMIGOD HTTP RCE 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-09-20 12:26:01 -04:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 679651bdf9 Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install 
Zeek DCE_RPC PrintNightmare
 2021-08-24 08:37:02 +02:00
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00
Nate Guagenti 064d7b7b9f improve rule logic zeek_default_cobalt_strike_certificate.yml 
zeek logging for `certificate.serial` is all letters are capitalized
 2021-08-23 14:23:41 -04:00
Nate Guagenti cfc32e5950 correct fields for zeek_rdp_public_listener.yml 
correct zeek fields for `fields` section.
improve false positives information
 2021-08-23 14:16:55 -04:00
Nate Guagenti 1819e4b02b improve rule 
- improve rule logic
- match zeek fields for fields section
- add false positive information
- change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)
 2021-08-23 14:12:50 -04:00
Nate Guagenti feb7d0e187 Update zeek_dns_mining_pools.yml 2021-08-23 14:11:04 -04:00
Nate Guagenti b00e1772b3 added logic and usage 
rule logic should be endswith.
match zeek fields for `fields` section
add false positive information
 2021-08-23 14:03:38 -04:00
frack113 9d3a13b13e cleanup 2021-08-23 19:04:01 +02:00
Nate Guagenti 4f8bd4a5a2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
try new uuid to pass check...
 2021-08-23 11:24:22 -04:00
Nate Guagenti 6aea58b4d2 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:18:51 -04:00
Nate Guagenti 78c667fda1 Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 
shorten title
 2021-08-23 11:15:30 -04:00
Nate Guagenti 96e77eb8db Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml 2021-08-23 11:06:44 -04:00
SomeOne 295054dcbe Replace old mitre techniques by new one 2021-08-22 13:57:56 +02:00
frack113 07a87aa7f8 Merge pull request #1858 from frack113/fix_pr718 
Replace pr718
 2021-08-21 18:02:30 +02:00
frack113 3283664154 Update remove useless rules 2021-08-19 18:28:44 +02:00
frack113 f1a84536c3 update fix 2021-08-19 17:55:41 +02:00
Austin Songer c9128687ee Spelling Errors on Rules 2021-08-18 18:58:20 +00:00
frack113 c3457c9911 fix titles 2021-08-15 19:05:00 +02:00
frack113 245cb6d510 fix more errors 2021-08-15 18:55:44 +02:00
frack113 12396f615c remove duplicate rule and fix errors 2021-08-15 16:52:24 +02:00
frack113 a75859a976 First commit 2021-08-15 16:00:14 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
Florian Roth 685bd490f5 Merge pull request #1573 from d4rk-d4nph3/master 
Added rule for default cobalt strike certificate
 2021-06-25 12:16:31 +02:00
Bhabesh Rai 91cc97d099 Fixed the taxonomy 2021-06-24 21:07:52 +05:45
Bhabesh Rai 1ebbc6c1a3 Added rule for default cobalt strike certificate 2021-06-23 10:17:27 +05:45
frack113 a1bddf51e7 fix typo of falsepositives 2021-05-24 10:31:28 +02:00
Nate Guagenti 0bee1b006f fix - add date 2021-05-08 21:37:25 -04:00