blue-team-tools

security-tools/blue-team-tools

Fork 0

Commit Graph

Author	SHA1	Message	Date
Nasreddine Bencherchali	9d58e38bbc	Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field remove: Space After Filename - Logic was incorrect and untested update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection update: JexBoss Command Sequence - Update the selection to use the \|all modifier. chore: remove any usage of the fields field to prepare for deprecation in the spec.	2025-11-24 09:54:29 +01:00
Nasreddine Bencherchali	b86a494f55	Merge PR #4993 from @nasbench - Fix Issues new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79` remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation. remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`. update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.	2024-09-02 19:03:46 +02:00
Nasreddine Bencherchali	c2400ac374	chore: remove contrib folder + rename folders	2023-04-23 15:42:01 +02:00

Author

SHA1

Message

Date

Nasreddine Bencherchali

9d58e38bbc

Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field

remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.

2025-11-24 09:54:29 +01:00

Nasreddine Bencherchali

b86a494f55

Merge PR #4993 from @nasbench - Fix Issues

new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.

2024-09-02 19:03:46 +02:00

Nasreddine Bencherchali

c2400ac374

chore: remove contrib folder + rename folders

2023-04-23 15:42:01 +02:00

3 Commits