797bcaebfe
Merge PR #5900 from @swachchhanda000 - Update Important scheduled task manipulation related rules
...
update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
new: System Restore Registry Modification via CommandLine
chore: add regression tests for Important scheduled task manipulation rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 04:00:16 +02:00
6f4cb70fdc
Merge PR #5909 from @EzLucky - Add Cisco Dot1x Disabled
...
new: Cisco Dot1x Disabled
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 01:16:37 +02:00
66f7ac9a4d
Merge PR #5881 from @Securityinbits - Add Sensitive File Dump Via Print.EXE
...
new: Sensitive File Dump Via Print.EXE
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 01:07:54 +02:00
cd26c0a799
Merge PR #5815 from @swachchhanda000 - Update and Add Autologger related rules
...
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:17:40 +02:00
3a0fbc4bfa
Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading
...
new: Potential Vcruntime140 DLL Sideloading
2026-04-27 23:55:25 +02:00
180991bc81
Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules
...
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:43:22 +02:00
1a51d53e9f
Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS
...
new: PUA - Memory Dump Mount Via MemProcFS
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:30:50 +02:00
ff107c3fe1
Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand
...
new: Indirect Command Execution via SFTP ProxyCommand
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:26:12 +02:00
03412947a2
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
...
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 15:02:24 +02:00
c801be9f3d
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
...
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux
---------
Co-authored-by: Hugh <HueCodes@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 14:37:28 +02:00
d4d12bdd13
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
...
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-01 13:57:31 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
a15dbdaa05
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
...
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
2026-03-19 10:26:30 +01:00
3c2407864e
Merge PR #5857 from @swachchhanda000 - chore: add missing json logs
...
chore: add missing json logs
2026-03-03 12:01:07 +01:00
084204d06a
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
...
new: System Language Discovery via Reg.Exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:55:40 +01:00
41c8116d0e
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
...
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:21:29 +01:00
478120e7d2
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-01-29 12:52:08 +01:00
c6a32d96cf
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
...
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:38:48 +01:00
2022e3b420
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
...
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:37:55 +01:00
e77233ab2f
Merge PR #5824 from @swachchhanda000 - Update User Shell Folders Registry Modification Rules
...
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
2026-01-29 12:23:46 +01:00
3d8c650ba2
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
...
new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
new: Windows Vulnerable Driver Blocklist Disabled
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 23:53:42 +01:00
092b852af3
Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets
...
new: Cmd Launched with Hidden Start Flags to Suspicious Targets
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 20:02:52 +01:00
30aebbb65c
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
...
new: PUA - Kernel Driver Utility (KDU) Execution
new: Devcon Execution Disabling VMware VMCI Device
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:36:29 +01:00
c8b1a0ff67
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
...
update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
c5b881019a
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
...
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-10 15:29:38 +01:00
f05a8c4d94
Merge PR #5788 from @swachchhanda000 - Recon via RDP Logging Event
...
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - add more interesting event ids
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-12-09 08:48:59 +05:45
0aa29891df
Merge PR #5782 from @Koifman - Add Github Self-Hosted Runner Execution
...
new: Github Self-Hosted Runner Execution
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-12-04 00:55:53 +01:00
c141859b83
Merge PR #5775 from @swachchhanda000 - Restructure regression testing data directory
...
chore: restructure regression testing data directory
2025-11-26 11:08:11 +01:00
Swachchhanda Shrawan Poudel