├── .gitignore ├── CHANGELOG.md ├── LICENSE.md ├── README.md ├── blacklist ├── cert_bl.csv └── file_bl.csv ├── ids ├── 20171010_TurlaWateringHole_ids.rules ├── 20171016_UpdateWinnti_ids.rules ├── 20171026_IRCbot_ids.rules ├── 20171026_LargeScaleIRC_ids.rules ├── 20171101_ExposingPhishing_ids.rules └── 20180222_Satori_Botnet_RCE.rules ├── ids_rules_urls.txt ├── ingest.py ├── ioc ├── 20170711_WinntiEvolution_indicators.csv ├── 20171010_TurlaWateringHole_indicators.csv ├── 20171016_UpdateWinnti_indicators.csv ├── 20171026_LargeScaleIRC_indicators.csv ├── 20171101_ExposingPhishing_indicators.csv ├── 20180222_Satori_Botnet_RCE_indicators.csv ├── 20180503_Burning_Umbrella_Area_1_indicators.csv ├── 20180503_Burning_Umbrella_Area_2_indicators.csv ├── 20180503_Burning_Umbrella_Area_3_indicators.csv ├── 20180503_Burning_Umbrella_Area_5_indicators.csv ├── 20180503_Burning_Umbrella_Area_6_indicators.csv ├── 20180503_Burning_Umbrella_Area_7_indicators.csv └── 20180503_Burning_Umbrella_Area_8_indicators.csv ├── ioc_urls.txt ├── pcaps ├── 20171220_smb_at_schedule.pcap ├── 20171220_smb_metasploit_psexec_pth_download_meterpreter.pcap ├── 20171220_smb_mimikatz_copy.pcap ├── 20171220_smb_mimikatz_copy_to_host.pcap ├── 20171220_smb_net_user.pcap ├── 20171220_smb_psexec_add_user.pcap └── 20171220_smb_psexec_mimikatz_ticket_dump.pcap └── pdfs ├── 20171220_An-Introduction-to-SMB-for-Network-Security-Analysts.pdf └── 20180503_Burning_Umbrella.pdf /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/.gitignore -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/CHANGELOG.md -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/LICENSE.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/README.md -------------------------------------------------------------------------------- /blacklist/cert_bl.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/blacklist/cert_bl.csv -------------------------------------------------------------------------------- /blacklist/file_bl.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/blacklist/file_bl.csv -------------------------------------------------------------------------------- /ids/20171010_TurlaWateringHole_ids.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20171010_TurlaWateringHole_ids.rules -------------------------------------------------------------------------------- /ids/20171016_UpdateWinnti_ids.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20171016_UpdateWinnti_ids.rules -------------------------------------------------------------------------------- /ids/20171026_IRCbot_ids.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20171026_IRCbot_ids.rules -------------------------------------------------------------------------------- /ids/20171026_LargeScaleIRC_ids.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20171026_LargeScaleIRC_ids.rules -------------------------------------------------------------------------------- /ids/20171101_ExposingPhishing_ids.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20171101_ExposingPhishing_ids.rules -------------------------------------------------------------------------------- /ids/20180222_Satori_Botnet_RCE.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids/20180222_Satori_Botnet_RCE.rules -------------------------------------------------------------------------------- /ids_rules_urls.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ids_rules_urls.txt -------------------------------------------------------------------------------- /ingest.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ingest.py -------------------------------------------------------------------------------- /ioc/20170711_WinntiEvolution_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20170711_WinntiEvolution_indicators.csv -------------------------------------------------------------------------------- /ioc/20171010_TurlaWateringHole_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20171010_TurlaWateringHole_indicators.csv -------------------------------------------------------------------------------- /ioc/20171016_UpdateWinnti_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20171016_UpdateWinnti_indicators.csv -------------------------------------------------------------------------------- /ioc/20171026_LargeScaleIRC_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20171026_LargeScaleIRC_indicators.csv -------------------------------------------------------------------------------- /ioc/20171101_ExposingPhishing_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20171101_ExposingPhishing_indicators.csv -------------------------------------------------------------------------------- /ioc/20180222_Satori_Botnet_RCE_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180222_Satori_Botnet_RCE_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_1_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_1_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_2_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_2_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_3_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_3_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_5_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_5_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_6_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_6_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_7_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_7_indicators.csv -------------------------------------------------------------------------------- /ioc/20180503_Burning_Umbrella_Area_8_indicators.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc/20180503_Burning_Umbrella_Area_8_indicators.csv -------------------------------------------------------------------------------- /ioc_urls.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/ioc_urls.txt -------------------------------------------------------------------------------- /pcaps/20171220_smb_at_schedule.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_at_schedule.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_metasploit_psexec_pth_download_meterpreter.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_metasploit_psexec_pth_download_meterpreter.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_mimikatz_copy.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_mimikatz_copy.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_mimikatz_copy_to_host.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_mimikatz_copy_to_host.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_net_user.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_net_user.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_psexec_add_user.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_psexec_add_user.pcap -------------------------------------------------------------------------------- /pcaps/20171220_smb_psexec_mimikatz_ticket_dump.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pcaps/20171220_smb_psexec_mimikatz_ticket_dump.pcap -------------------------------------------------------------------------------- /pdfs/20171220_An-Introduction-to-SMB-for-Network-Security-Analysts.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pdfs/20171220_An-Introduction-to-SMB-for-Network-Security-Analysts.pdf -------------------------------------------------------------------------------- /pdfs/20180503_Burning_Umbrella.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/401trg/detections/HEAD/pdfs/20180503_Burning_Umbrella.pdf --------------------------------------------------------------------------------