Skip to content

Latest commit

 

History

History
226 lines (141 loc) · 11.3 KB

references_z.md

File metadata and controls

226 lines (141 loc) · 11.3 KB
Raw

Sigma rule references as PDF

zeek_dce_rpc_mitre_bzar_execution

Title : MITRE BZAR Indicators for Execution

Rule id : b640c0b8-87f8-4daa-aef8-95a24261dd1d

Url Pdf
https://github.com/mitre-attack/bzar#indicators-for-attck-execution pdf/1f9bd419525cc912eb38b33822f779660843e49158f6fec34af342c7a24a8421.pdf

zeek_dce_rpc_mitre_bzar_persistence

Title : MITRE BZAR Indicators for Persistence

Rule id : 53389db6-ba46-48e3-a94c-e0f2cefe1583

Url Pdf
https://github.com/mitre-attack/bzar#indicators-for-attck-persistence pdf/e1c70744df497dfbe43228dcc1856885991550c66cf789d924f3de30b4a8e271.pdf

zeek_dce_rpc_potential_petit_potam_efs_rpc_call

Title : Potential PetitPotam Attack Via EFS RPC Calls

Rule id : 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a

Url Pdf
https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp pdf/099661b7e2332d8477bc17e2b6714e9aeb8a79407ef41aec4d85f1aac131d913.pdf
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 pdf/50f61fcefebf160c26aa52b755e1165c20091b9427da6375344030850df7f0ee.pdf
https://threatpost.com/microsoft-petitpotam-poc/168163/ pdf/e93b031795620ed3664df8d7d072a810bd97f815b8d5f94db68ecf944dbcbdc2.pdf

zeek_dce_rpc_printnightmare_print_driver_install

Title : Possible PrintNightmare Print Driver Install

Rule id : 7b33baef-2a75-4ca3-9da4-34f9a15382d8

Url Pdf
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 pdf/b7cda52d9d9057eed0d8ae2c15b2301737d6cd45c2cfcaa053ab0fbefa2d2d19.pdf
https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek pdf/530392b4ae7e75cbee9d2da0ef3c91a6814794e2c27eb7b9ac743e7d84b4e074.pdf
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 pdf/ef917555c3c0babaec29437ca98269b73cbcda171f2207010d38d2c25d7413fc.pdf
https://github.com/corelight/CVE-2021-1675 pdf/ae2db4f8875f2907973bd482d2188e274faabef64070ba855e98a0db84585c68.pdf
https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ pdf/4c150f9bb93aae6a7c92cea9ae882f57c3fbd1ae62bcaef4d6508d23fa5b88b6.pdf

zeek_dce_rpc_smb_spoolss_named_pipe

Title : SMB Spoolss Name Piped Usage

Rule id : bae2865c-5565-470d-b505-9496c87d0c30

Url Pdf
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 pdf/ac72f6f7e1bd8cdfb7a6583cd35792176408c9ea44a284f515b075238622c28b.pdf
https://dirkjanm.io/a-different-way-of-abusing-zerologon/ pdf/7819af2d14989e0f98f2785d7685c646661432ac980ce3e8ceac102d00046f6f.pdf
https://twitter.com/_dirkjan/status/1309214379003588608 pdf/aed060907a225efcc7d603dd49ebfd989b6edcbf68fc04777b3d39d17aa2ed4c.pdf

zeek_default_cobalt_strike_certificate

Title : Default Cobalt Strike Certificate

Rule id : 7100f7e3-92ce-4584-b7b7-01b40d3d4118

Url Pdf
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 pdf/51526d56a970a574cf78f6b61c04b555135503ff610c763f24d2e7bfe702b672.pdf

zeek_dns_mining_pools

Title : DNS Events Related To Mining Pools

Rule id : bf74135c-18e8-4a72-a926-0e4f47888c19

Url Pdf
https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml pdf/718d86948b140e451480abf01a44ee03f08c68f7f1a0b7d67bb120e875a600a9.pdf

zeek_dns_nkn

Title : New Kind of Network (NKN) Detection

Rule id : fa7703d6-0ee8-4949-889c-48c84bc15b6f

Url Pdf
https://github.com/nknorg/nkn-sdk-go pdf/b5b666c6356f7e38fcd191d69d972098c76b9610b28040a855ef7a50727e5d9d.pdf
https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ pdf/938ceba7f1b26ae5eb331f8cd0ca85ea1acf697db5aed8828a1ae4dca72348f8.pdf
https://github.com/Maka8ka/NGLite pdf/a0818b2adb741b24ee39a6827b2183b48bed5b39b7305bd821cae0395c09a1b0.pdf

zeek_dns_susp_zbit_flag

Title : Suspicious DNS Z Flag Bit Set

Rule id : ede05abc-2c9e-4624-9944-9ff17fdc0bf5

Url Pdf
https://twitter.com/neu5ron/status/1346245602502443009 pdf/b4ed41e0701372ccddda327c4c795b3f78aa5912623a8ef707d4437729bcafee.pdf
https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma pdf/a4d574221272758d69da679b17462b4d34bd0421fd11934f269a0a7519155a72.pdf
https://tools.ietf.org/html/rfc2929#section-2.1 pdf/fb9643377d0ffb4a6fa625061cb55d0317912fd2a200ab926e8dfbba4b469dd7.pdf
https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS pdf/bc54c2aa36c4f06563299e5b56861ed2fa1202a122774e80d6143346e5691a97.pdf

zeek_dns_torproxy

Title : DNS TOR Proxies

Rule id : a8322756-015c-42e7-afb1-436e85ed3ff5

Url Pdf
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml pdf/08e852872154e64f0060cd56688ac0fb3a87e365e65a8f6d0d575eddf722d584.pdf

zeek_http_executable_download_from_webdav

Title : Executable from Webdav

Rule id : aac2fd97-bcba-491b-ad66-a6edf89c71bf

Url Pdf
http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html pdf/f1337f067d95e5fd4e1fbabf3040cea1b7658ee33512dff513f36fdb253baa67.pdf
https://github.com/OTRF/detection-hackathon-apt29 pdf/852846d3d6c3705c2ee4b569bd2005ff5c4ea7c3154105052b246844fa1df949.pdf

zeek_http_omigod_no_auth_rce

Title : OMIGOD HTTP No Authentication RCE

Rule id : ab6b1a39-a9ee-4ab4-b075-e83acf6e346b

Url Pdf
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure pdf/8a50554fe37d8a239f6e20369af3d0efc1c206b6fb9169e457f02c14e34fe4d0.pdf
https://twitter.com/neu5ron/status/1438987292971053057?s=20 pdf/1643b116db69f68831b3921fa07fb8891aee24e67f721d3c45b6b1f5c0f2d284.pdf

zeek_http_webdav_put_request

Title : WebDav Put Request

Rule id : 705072a5-bb6f-4ced-95b6-ecfa6602090b

Url Pdf
OTRF/detection-hackathon-apt29#17 pdf/b535fb39928c6befa6badca769c3a386b19540d5780c1ef286b995e39c3bcf99.pdf

zeek_rdp_public_listener

Title : Publicly Accessible RDP Service

Rule id : 1fc0809e-06bf-4de3-ad52-25e5263b7623

Url Pdf
https://attack.mitre.org/techniques/T1021/001/ pdf/e8deeaf18779c2db43e80f107e11b542c3f6793eb7d000d11231f8c21f588e38.pdf

zeek_smb_converted_win_atsvc_task

Title : Remote Task Creation via ATSVC Named Pipe - Zeek

Rule id : dde85b37-40cd-4a94-b00c-0b8794f956b5

Url Pdf
https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html pdf/dac575d90e6bbc7741c7729a88d6a7865a555b3400a8c0476196fb87c9c29c9a.pdf

zeek_smb_converted_win_impacket_secretdump

Title : Possible Impacket SecretDump Remote Activity - Zeek

Rule id : 92dae1ed-1c9d-4eff-a567-33acbd95b00e

Url Pdf
https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html pdf/c1b4284f58a81821485f95b4b4656597057da31420c61f2fd0fa1833296f8e4a.pdf

zeek_smb_converted_win_lm_namedpipe

Title : First Time Seen Remote Named Pipe - Zeek

Rule id : 021310d9-30a6-480a-84b7-eaa69aeb92bb

Url Pdf
https://twitter.com/menasec1/status/1104489274387451904 pdf/3a72d96d6d41d15cde4cc290e0d61f7cf9557eb23724a1b09fa0f1b982c145f4.pdf

zeek_smb_converted_win_susp_psexec

Title : Suspicious PsExec Execution - Zeek

Rule id : f1b3a22a-45e6-4004-afb5-4291f9c21166

Url Pdf
https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html pdf/9f480708815e12225bca8cc197f52cf846de0649517768356020b4124a2e59f6.pdf

zeek_smb_converted_win_susp_raccess_sensitive_fext

Title : Suspicious Access to Sensitive File Extensions - Zeek

Rule id : 286b47ed-f6fe-40b3-b3a8-35129acd43bc

Url Pdf

zeek_smb_converted_win_transferring_files_with_credential_data

Title : Transferring Files with Credential Data via Network Shares - Zeek

Rule id : 2e69f167-47b5-4ae7-a390-47764529eff5

Url Pdf
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment pdf/52e26c81a11e8750dcb450054f7519ab7fa64b2a0e94d3c66075f12ea424e9d0.pdf

zeek_susp_kerberos_rc4

Title : Kerberos Network Traffic RC4 Ticket Encryption

Rule id : 503fe26e-b5f2-4944-a126-eab405cc06e5

Url Pdf
https://adsecurity.org/?p=3458 pdf/c0f86787baaf5ec548c7f0b43a485bb508afd60623e0cf92c1de51291d568841.pdf