security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,792 Commits 1 Branch 57 Tags
master
Commit Graph

203 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 34c5d66c22 Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 
chore: update mitre tags to use attack v19
 2026-04-29 01:20:23 +02:00
Swachchhanda Shrawan Poudel 2b5715303f Merge PR #5908 from @swachchhanda000 - Fix fps and improve metadata of several Linux rules 
fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion
fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others
fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed
fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README
fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
 2026-04-28 01:12:30 +02:00
Zirbo 8315489a07 Merge PR #5828 from @Zirbo - Update Shell Invocation via Env Command - Linux 
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:31:41 +02:00
HueCodes c801be9f3d Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution 
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux

---------

Co-authored-by: Hugh <HueCodes@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-23 14:37:28 +02:00
Swachchhanda Shrawan Poudel 56a58e1ee6 Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules 
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-03-29 14:58:59 +02:00
EzLucky 076da17939 Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules 
new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-01-24 11:51:42 +01:00
EzLucky 6fe7343bf7 Merge PR #5822 from @EzLucky - fix: spelling errors in description and filename 
update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
chore: Local System Accounts Discovery - Linux - fix small typo on 'system' word in description
 2026-01-05 13:01:17 +05:45
Seth Hanford 5f57f9e816 Merge PR #5766 from @SethHanford - Update Potential Container Discovery Via Inodes Listing 
update: Potential Container Discovery Via Inodes Listing - replace contains globbing with more correct patterns using regex

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-11-25 16:29:32 +01:00
Swachchhanda Shrawan Poudel c6fcff5cff Merge PR #5740 from @swachchhanda000 - chore: reorganize threat specific rules into rules-emerging-threats directory 
chore: reorganize threat specific rules into rules-emerging-threats directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-11-10 12:00:08 +01:00
Vladan Sekulic e40fc91954 Merge PR #5600 from @vl43den - Add Syslog Clearing or Removal Via System Utilities 
new: Syslog Clearing or Removal Via System Utilities

---------

Co-authored-by: Nasreddine Bencherchali
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-28 22:49:32 +01:00
Mohamed LAKRI d0c23170de Merge PR #5079 from @mlakri - Add 2 new linux rules 
new: Audit Rules Deleted Via Auditctl
new: Python WebServer Execution - Linux

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-28 22:45:53 +01:00
Milad Cheraghi 875dee72f4 Merge PR #5634 from @CheraghiMilad - Add Kaspersky Endpoint Security Stopped Via CommandLine - Linux 
new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-10-28 22:34:26 +01:00
phantinuss c8075cab6b chore: ci: bump validator version (#5722) 
chore: ci: bump validator version
chore: add missing tags

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-23 15:43:47 +02:00
RobertN87 f69ac5c345 Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules 
chore: add missing MITRE tactics for 2 rules
 2025-10-21 20:17:56 +02:00
Milad Cheraghi ac1137183f Merge PR #5090 from @CheraghiMilad - add rule for impair system power settings 
new: Mask System Power Settings Via Systemctl

---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-20 08:24:44 +05:45
Swachchhanda Shrawan Poudel 208fee50a0 Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack 
new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
 2025-10-19 07:28:08 +05:45
Swachchhanda Shrawan Poudel f4e9d5f3c4 Merge PR #5671 from @swachchhanda000 - feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability 
new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Linux Sudo Chroot Execution
---------


Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-19 07:21:26 +05:45
Nasreddine Bencherchali 15b9599eb0 Change alert level from high to medium 2025-08-29 10:34:46 +02:00
swachchhanda000 4ba778f030 fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder 2025-08-08 15:01:07 +05:45
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
hashdr1ft 8fd6a5167d Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget 
new: Suspicious Download and Execute Pattern via Curl/Wget

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 12:48:57 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Milad Cheraghi 6509b21b82 Merge PR #5462 from @CheraghiMilad - add text output tools 
update: Local Groups Discovery - Linux - add text output tools

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:19:27 +02:00
Milad Cheraghi 0627225cab Merge PR #5463 from @CheraghiMilad - add more text output tools (#5463) 
update: Access of Sudoers File Content - add more tools

---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:19:04 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
Koifman b0481bea13 Merge PR #5393 from @Koifman - Update VMware rules for MITREv17 
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17

---------

Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-21 08:39:49 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
github-actions[bot] 64852d95a9 Merge PR #5216 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:27 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
Florian Roth 06a5d08508 Merge PR #5163 from @Neo23x0 - Add/Update Rsync Linux Rules 
update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
new: Suspicious Invocation of Shell via Rsync

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 21:55:40 +01:00
Milad Cheraghi 957c1fc3d9 Merge PR #5119 from @CheraghiMilad - Update Terminate Linux Process Via Kill 
update: Terminate Linux Process Via Kill - Add "xkill"

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:26:02 +02:00
Milad Cheraghi 44775b80b9 Merge PR #5117 from @CheraghiMilad - Update Process Discovery 
update: Process Discovery - Add additional processes like "htop" and "atop"
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:24:15 +02:00
Milad Cheraghi c6b7a19b59 Merge PR #5099 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
 2024-12-14 20:49:32 +02:00
Milad Cheraghi c8e1d66a35 Merge PR #5091 from @CheraghiMilad - Update File and Directory Discovery - Linux 
update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
---------
 
Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:07:54 +01:00
Nathan d0e4e78f7a Merge PR #5086 from @AlbinoGazelle - Update ESXCLI reference docs after Broadcom acquisition of VMWare 
chore: update broken references to ESXCLI rules
 2024-11-20 20:44:32 +01:00
wieso-itzi 4f4ef7a8cc Merge PR #5042 from @wieso-itzi - Update Python PTY rules
Create Release / Create Release (push) Has been cancelled
Details 
update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. 

---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 12:15:00 +01:00
Milad Cheraghi d270dc542c Merge PR #5039 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim" 
---------

Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:09:13 +02:00
github-actions[bot] 08c52c367c Merge PR #5027 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:56:09 +02:00
Arnim Rupp 35a5eb9a4c Merge PR #5013 from @ruppde - Update linux scanning rules 
update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
 2024-09-22 19:29:20 +02:00
Murphy0801 3e2f8d5aba Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins 
new: Capsh Shell Invocation - Linux
new: Inline Python Execution - Spawn Shell Via OS System Library
new: Shell Execution GCC - Linux
new: Shell Execution via Find - Linux
new: Shell Execution via Flock - Linux
new: Shell Execution via Git - Linux
new: Shell Execution via Nice - Linux
new: Shell Execution via Rsync - Linux
new: Shell Invocation via Env Command - Linux
new: Shell Invocation Via Ssh - Linux
new: Suspicious Invocation of Shell via AWK - Linux 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-02 13:19:31 +02:00
github-actions[bot] 839f5636f5 Merge PR #4991 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:36 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Ryan Plas 1d40f1d20b Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 
chore: update Microsoft references link to use the "learn" subdomain instead of "docs". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
 2024-07-02 12:00:11 +02:00
github-actions[bot] 47085e9489 Merge PR #4891 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-07-01 10:42:32 +02:00
github-actions[bot] d84959e50f Merge PR #4867 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-06-03 10:29:22 +02:00
github-actions[bot] f7ec533704 Merge PR #4841 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from "experimental" to "test"
 2024-05-02 10:34:25 +02:00
signalblur 86ca651ea6 Merge PR #4801 from @signalblur - Add Pnscan rule 
new: Pnscan Binary Data Transmission Activity 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-16 14:36:41 +02:00