Skip to content

Commit

Permalink
Merge PR #4738 from @nasbench - Small fixes and metadata updates
Browse files Browse the repository at this point in the history
new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
remove: CobaltStrike Malformed UAs in Malleable Profiles
remove: CobaltStrike Malleable (OCSP) Profile
remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
remove: iOS Implant URL Pattern
update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
  • Loading branch information
nasbench authored Feb 26, 2024
1 parent 49bd839 commit 8af1ab8
Show file tree
Hide file tree
Showing 32 changed files with 120 additions and 137 deletions.
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: test
status: deprecated
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
modified: 2022/07/07
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: test
status: deprecated
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
author: Florian Roth (Nextron Systems)
date: 2021/05/06
modified: 2022/12/25
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: CobaltStrike Malleable (OCSP) Profile
id: 37325383-740a-403d-b1a2-b2b4ab7992e7
status: test
status: deprecated
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
modified: 2021/11/27
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
status: test
status: deprecated
description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
modified: 2022/08/15
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
title: iOS Implant URL Pattern
id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
status: test
status: deprecated # Deprecated to being related to Ios so logging will vary and its old
description: Detects URL pattern used by iOS Implant
references:
- https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
- https://twitter.com/craiu/status/1167358457344925696
author: Florian Roth (Nextron Systems)
date: 2019/08/30
modified: 2022/08/15
modified: 2024/02/26
tags:
- attack.execution
- attack.t1203
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: Chafer Malware URL Pattern
id: fb502828-2db0-438e-93e6-801c7548686d
status: test
description: Detects HTTP requests used by Chafer malware
description: Detects HTTP request used by Chafer malware to receive data from its C2.
references:
- https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth (Nextron Systems)
date: 2019/01/31
modified: 2022/08/15
modified: 2024/02/15
tags:
- attack.command_and_control
- attack.t1071.001
Expand All @@ -16,10 +16,6 @@ detection:
selection:
c-uri|contains: '/asp.asp\?ui='
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,6 @@ detection:
- '.avi'
- '/images/'
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,6 @@ detection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
cs-host: 'api.dropbox.com'
condition: selection
fields:
- c-ip
- c-uri
falsepositives:
- Old browsers
level: high
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: Turla ComRAT
title: ComRAT Network Communication
id: 7857f021-007f-4928-8b2c-7aedbe64bb82
status: test
description: Detects Turla ComRAT patterns
description: Detects Turla ComRAT network communication.
references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020/05/26
modified: 2022/08/15
modified: 2024/02/26
tags:
- attack.defense_evasion
- attack.command_and_control
Expand Down
Original file line number Diff line number Diff line change
@@ -1,14 +1,17 @@
title: Java Class Proxy Download
title: .Class Extension URI Ending Request
id: 53c15703-b04c-42bb-9055-1937ddfb3392
status: test
description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.
description: |
Detects requests to URI ending with the ".class" extension in proxy logs.
This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades)
date: 2021/12/21
modified: 2022/12/25
modified: 2024/02/26
tags:
- attack.initial_access
- detection.threat_hunting
logsource:
category: proxy
detection:
Expand All @@ -17,4 +20,4 @@ detection:
condition: selection
falsepositives:
- Unknown
level: high
level: medium
7 changes: 1 addition & 6 deletions rules/cloud/github/github_delete_action_invoked.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/19
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
Expand All @@ -22,11 +22,6 @@ detection:
- 'project.delete'
- 'repo.destroy'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
falsepositives:
- Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
14 changes: 2 additions & 12 deletions rules/cloud/github/github_disable_high_risk_configuration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/29
references:
- https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
Expand All @@ -20,21 +20,11 @@ logsource:
detection:
selection:
action:
- 'org.advanced_security_policy_selected_member_disabled'
- 'org.disable_oauth_app_restrictions'
- 'org.disable_two_factor_requirement'
- 'repo.advanced_security_disabled'
- 'org.advanced_security_policy_selected_member_disabled'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
- 'transport_protocol_name'
- 'repository'
- 'repo'
- 'repository_public'
- '@timestamp'
falsepositives:
- Approved administrator/owner activities.
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: test
description: |
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/27
references:
- https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
Expand All @@ -19,22 +19,12 @@ logsource:
detection:
selection:
action:
- 'dependabot_alerts.disable'
- 'dependabot_alerts_new_repos.disable'
- 'dependabot_security_updates.disable'
- 'dependabot_alerts.disable'
- 'dependabot_security_updates_new_repos.disable'
- 'dependabot_security_updates.disable'
- 'repository_vulnerability_alerts.disable'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
- 'transport_protocol_name'
- 'repository'
- 'repo'
- 'repository_public'
- '@timestamp'
falsepositives:
- Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
12 changes: 1 addition & 11 deletions rules/cloud/github/github_new_org_member.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ title: New Github Organization Member Added
id: 3908d64a-3c06-4091-b503-b3a94424533b
status: test
description: Detects when a new member is added or invited to a github organization.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/29
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
Expand All @@ -19,16 +19,6 @@ detection:
- 'org.add_member'
- 'org.invite_member'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
- 'transport_protocol_name'
- 'repository'
- 'repo'
- 'repository_public'
- '@timestamp'
falsepositives:
- Organization approved new members
level: informational
11 changes: 3 additions & 8 deletions rules/cloud/github/github_new_secret_created.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ title: Github New Secret Created
id: f9405037-bc97-4eb7-baba-167dad399b83
status: test
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
Expand All @@ -19,16 +19,11 @@ logsource:
detection:
selection:
action:
- 'org.create_actions_secret'
- 'environment.create_actions_secret'
- 'codespaces.create_an_org_secret'
- 'environment.create_actions_secret'
- 'org.create_actions_secret'
- 'repo.create_actions_secret'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
falsepositives:
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
level: low
9 changes: 2 additions & 7 deletions rules/cloud/github/github_outside_collaborator_detected.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
Expand All @@ -21,14 +21,9 @@ logsource:
detection:
selection:
action:
- 'project.update_user_permission'
- 'org.remove_outside_collaborator'
- 'project.update_user_permission'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
falsepositives:
- Validate the actor if permitted to access the repo.
- Validate the Multifactor Authentication changes.
Expand Down
16 changes: 3 additions & 13 deletions rules/cloud/github/github_self_hosted_runner_changes_detected.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on github.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/27
references:
- https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
Expand All @@ -31,23 +31,13 @@ detection:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_updated'
- 'org.runner_group_runners_added'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
- 'transport_protocol_name'
- 'repository'
- 'repo'
- 'repository_public'
- '@timestamp'
falsepositives:
- Allowed self-hosted runners changes in the environment.
- A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
Expand Down
5 changes: 0 additions & 5 deletions rules/web/proxy_generic/proxy_downloadcradle_webdav.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,6 @@ detection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
- cs-method
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
Expand Down
Loading

0 comments on commit 8af1ab8

Please sign in to comment.