security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,792 Commits 1 Branch 57 Tags
master
Commit Graph

16792 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Hunkeler df5c6a6ecc Merge PR #5970 from @ahu-exeon - add Exeon.UEBA to the list of tools supporting Sigma
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Details
Regression Tests / true-positive-tests (push) Waiting to run
Details
Sigma Rule Tests / yamllint (push) Waiting to run
Details
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Details
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Details
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Details
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Details
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
Details
2026-05-05 00:58:33 +02:00
github-actions[bot] cf68547b29 Merge PR #5974 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file


Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-05-04 12:33:04 +02:00
Nasreddine Bencherchali 34c5d66c22 Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 
chore: update mitre tags to use attack v19
 2026-04-29 01:20:23 +02:00
FlorianBracq 0e3b749e0d Merge PR #5898 from @FlorianBracq - Set groups in regular expressions as non capturing
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Details
Regression Tests / true-positive-tests (push) Waiting to run
Details
Create Release / Create Release (push) Waiting to run
Details
Sigma Rule Tests / yamllint (push) Waiting to run
Details
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Details
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Details
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Details
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Details
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
Details 
update: Dynamic .NET Compilation Via Csc.EXE - Update regex to use a non-capturing group
update: Csc.EXE Execution Form Potentially Suspicious Parent - Update regex to use a non-capturing group
update: Invoke-Obfuscation Obfuscated IEX Invocation - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Stdin - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Use Clip - Update regex to use a non-capturing group
update: Powershell Token Obfuscation - Process Creation - Update regex to use a non-capturing group
update: Potential Rundll32 Execution With DLL Stored In ADS - Update regex to use a non-capturing group
update: Suspicious Copy From or To System Directory - Update regex to use a non-capturing group
update: Obfuscated IP Download Activity - Update regex to use a non-capturing group
update: Obfuscated IP Via CLI - Update regex to use a non-capturing group
update: Uncommon Svchost Command Line Parameter - Update regex to use a non-capturing group
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
r2026-04-01 		2026-04-28 12:23:57 +02:00
frack113 ad80b4d75f Merge PR #5797 from @frack113 - ci: fix URL for sigma_schema_url 
chore: fix URL for sigma_schema_url in validate.py
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-28 11:32:48 +02:00
Swachchhanda Shrawan Poudel 797bcaebfe Merge PR #5900 from @swachchhanda000 - Update Important scheduled task manipulation related rules 
update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
new: System Restore Registry Modification via CommandLine
chore: add regression tests for Important scheduled task manipulation rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 04:00:16 +02:00
Swachchhanda Shrawan Poudel fcb2aead3a Merge PR #5941 from @swachchhanda000 - Add RedSun Execution Indicators 
new: RedSun - Named Pipe Created
new: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
new: RedSun - Conhost.exe Spawned by TieringEngineService.exe
new: RedSun - TieringEngineService.exe Detected as EICAR Test File

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2026-04-28 03:22:30 +02:00
Milad Cheraghi fd33ea32e7 Merge PR #5454 from @CheraghiMilad - Add Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 
new: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 03:14:41 +02:00
Tom Kluter c8f207d390 Merge PR #5409 from @Luke57 - Add New Google Workspace Related Rules 
new: Google Workspace Government Attack Warning
new: Google Workspace Out Of Domain Email Forwarding
new: Suspicious Login Activity Classified By Google

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2026-04-28 02:48:14 +02:00
zendannyy af0d09b2cf Merge PR #5831 from @zendannyy - Add Okta Session Impersonation Granted From Untrusted Domain 
new: Okta Session Impersonation Granted From Untrusted Domain

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 02:31:13 +02:00
github-actions[bot] 8f014c6cb7 Merge PR #5904 from @nasbench - archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-04-28 02:22:16 +02:00
David J 7cf06feeea Merge PR #5859 from @davidljohnson - Update VBS/A related rules 
update: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Add entry for .wsh files
update: WScript or CScript Dropper - File - Enhance coverage with multiple file paths and extesnions
update: Potentially Suspicious Powershell Script Execution From Temp Folder - Reduce level to medium and enhance metadata
update: Script Interpreter Execution From Suspicious Folder - Add additional file path for coverage and enhance metadata
update: Potential Dropper Script Execution Via WScript/CScript/MSHTA - Add additional file path and extension for coverage and enhance metadata
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2026-04-28 01:37:10 +02:00
EzLucky 6f4cb70fdc Merge PR #5909 from @EzLucky - Add Cisco Dot1x Disabled 
new: Cisco Dot1x Disabled

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 01:16:37 +02:00
Swachchhanda Shrawan Poudel 2b5715303f Merge PR #5908 from @swachchhanda000 - Fix fps and improve metadata of several Linux rules 
fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion
fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others
fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed
fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README
fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
 2026-04-28 01:12:30 +02:00
Ayush Anand 66f7ac9a4d Merge PR #5881 from @Securityinbits - Add Sensitive File Dump Via Print.EXE 
new: Sensitive File Dump Via Print.EXE

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 01:07:54 +02:00
Swachchhanda Shrawan Poudel 3305d11c89 Merge PR #5942 from @swachchhanda000 - Add Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI 
new: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:58:55 +02:00
Marco Pedrinazzi 30cb0f742a Merge PR #5917 from @marcopedrinazzi - Add Azure Sign-In With Axios User Agent 
new: Azure Sign-In With Axios User Agent

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:55:15 +02:00
st0pp3r 10f7ebbcf9 Merge PR #5893 from @st0pp3r - Update Github Delete Action Invoked 
update: Github Delete Action Invoked - Rename action from 'codespaces.delete' to 'codespaces.destroy'

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:54:21 +02:00
Marius Benthin c713b5d805 Merge PR #5780 from @marius-benthin - Update New Cron File Created 
update: New Cron File Created - Enhance coverage and update metadata

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:53:12 +02:00
uniqueuser f0c4235fcb Merge PR #5916 from @uniqu3-us3r - Add Kubernetes Potential Enumeration Activity 
new: Kubernetes Potential Enumeration Activity

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:43:10 +02:00
Marco Pedrinazzi 96c0fa6176 Merge PR #5846 from @marcopedrinazzi - Add Suspicious Email Delivered In Microsoft 365 
new: Suspicious Email Delivered In Microsoft 365

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-04-28 00:33:23 +02:00
Zirbo 8315489a07 Merge PR #5828 from @Zirbo - Update Shell Invocation via Env Command - Linux 
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:31:41 +02:00
Sanskar Phougat 570200b711 Merge PR #5952 from @Sanskar-bot - Update PowerShell Download Via Net.WebClient - PowerShell Classic 
update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:30:25 +02:00
Sanskar Phougat 81dce222fd Merge PR #5953 from @Sanskar-bot - Update MITRE Tags for Netcat The Powershell Version 
chore: update mitre tags for `Netcat The Powershell Version`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:29:22 +02:00
Swachchhanda Shrawan Poudel cd26c0a799 Merge PR #5815 from @swachchhanda000 - Update and Add Autologger related rules 
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:17:40 +02:00
Swachchhanda Shrawan Poudel ca8e778476 Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data 
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:10:09 +02:00
Swachchhanda Shrawan Poudel 3a0fbc4bfa Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading 
new: Potential Vcruntime140 DLL Sideloading
 2026-04-27 23:55:25 +02:00
Swachchhanda Shrawan Poudel 180991bc81 Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules 
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:43:22 +02:00
Swachchhanda Shrawan Poudel 1a51d53e9f Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS 
new: PUA - Memory Dump Mount Via MemProcFS

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:30:50 +02:00
Swachchhanda Shrawan Poudel ff107c3fe1 Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand 
new: Indirect Command Execution via SFTP ProxyCommand

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:26:12 +02:00
Mostafa Moradian f627ff2270 Merge PR #5964 from @mostafa - Update Okta Rules to use CamelCase fields 
update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
 2026-04-27 21:55:40 +02:00
Swachchhanda Shrawan Poudel cf9759946f Merge PR #5399 from @swachchhanda000 - Update LSA PPL Protection Setting Modification via CommandLine 
update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-24 19:48:55 +02:00
Thomas Patzke 5655f590d7 Added VSCode config to .gitignore 2026-04-24 09:00:48 +02:00
Chirag 03412947a2 Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution 
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-23 15:02:24 +02:00
HueCodes c801be9f3d Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution 
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux

---------

Co-authored-by: Hugh <HueCodes@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-23 14:37:28 +02:00
Swachchhanda Shrawan Poudel fc1cf467f4 Merge PR #5905 from @swachchhanda000 - fix: notepad++ gup infrastructure abuse FPs 
fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
 2026-04-21 12:33:55 +02:00
Marco Pedrinazzi c58ee2f7f8 Merge PR #5938 from @marcopedrinazzi - Fix file extension from .yaml to .yml for consistency 
chore: changed extension from yaml to yml for certain files
 
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-20 14:44:21 +02:00
Swachchhanda Shrawan Poudel 889b07d952 Merge PR #5943 from @swachchhanda000 - Add regression test count mismatch finder 
chore: regression test count mismatch finder
 2026-04-20 14:38:44 +02:00
Swachchhanda Shrawan Poudel c3ad686ac4 Merge PR #5935 from @swachchhanda000 - Fix Registry Tampering by Potentially Suspicious Processes 
fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-14 14:49:20 +02:00
EzLucky d4d12bdd13 Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage 
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted 
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-01 13:57:31 +02:00
Florian Roth 7fc53c563e Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder 
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Thanks: @marius-benthin
 2026-04-01 13:55:12 +02:00
netikus 7031934d17 Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege 
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-01 13:36:52 +02:00
Axel-NTT 3fe2695635 Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed 
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
 2026-04-01 13:16:52 +02:00
Swachchhanda Shrawan Poudel 4bb5637b23 Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules 
new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
new: LiteLLM / TeamPCP Supply Chain Attack Indicators

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-01 13:11:45 +02:00
Florian Roth c6d03adc7b Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration 
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
 2026-04-01 12:35:29 +02:00
github-actions[bot] 858b04b66a Merge PR #5926 from @phantinuss - Update ATT&CK Heatmap Coverage 
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-01 12:34:21 +02:00
github-actions[bot] 11f1fa4e2c Merge PR #5927 from @nasbench - Update deprecated csv 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2026-04-01 12:32:09 +02:00
Swachchhanda Shrawan Poudel 71f1120dc6 Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules 
new: Axios NPM Compromise File Creation Indicators - Linux
new: Axios NPM Compromise File Creation Indicators - MacOS
new: Axios NPM Compromise File Creation Indicators - Windows
new: Axios NPM Compromise Malicious C2 Domain DNS Query
new: Axios NPM Compromise Indicators - Linux
new: Axios NPM Compromise Indicators - MacOS
new: Axios NPM Compromise Indicators - Windows

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-01 12:31:31 +02:00
Swachchhanda Shrawan Poudel 2f84ca2f16 Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules 
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2026-03-30 12:27:13 +02:00
Swachchhanda Shrawan Poudel 56a58e1ee6 Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules 
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-03-29 14:58:59 +02:00