security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,792 Commits 1 Branch 57 Tags
master
Commit Graph

123 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 34c5d66c22 Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 
chore: update mitre tags to use attack v19
 2026-04-29 01:20:23 +02:00
Niicolaa ed2650a0eb Merge PR #5791 from @Niicolaa - fix: add correct osascript path 
fix: GUI Input Capture - macOS - remove osascript wrong path

---------

Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-12-09 08:03:04 +05:45
Nasreddine Bencherchali 9d58e38bbc Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field 
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
 2025-11-24 09:54:29 +01:00
phantinuss c8075cab6b chore: ci: bump validator version (#5722) 
chore: ci: bump validator version
chore: add missing tags

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-23 15:43:47 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
github-actions[bot] 29ad6f9617 Merge PR #5249 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:35 +02:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
peterydzynski 9c7b8bcd55 Merge PR #4987 from @peterydzynski - Fix System Network Discovery - macOS 
fix: System Network Discovery - macOS  -  Add additional filter for `wifivelocityd`
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 20:30:47 +02:00
Omar A. a21ab6763b Merge PR #4951 from @omaramin17 - Add Hidden Flag Set On File/Directory Via Chflags - MacOS 
new: Hidden Flag Set On File/Directory Via Chflags - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-21 15:25:47 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Omar A. bfc5586e43 Merge PR #4949 from @omaramin17 - Add new rules related to Hdiutil usage 
new: Disk Image Mounting Via Hdiutil - MacOS
new: Disk Image Creation Via Hdiutil - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-10 19:18:35 +02:00
github-actions[bot] 47085e9489 Merge PR #4891 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-07-01 10:42:32 +02:00
Daniel Cortez d7bd6001d1 Merge PR #4773 from @DefenderDaniel - Add rules covering Nscurl usage 
new: File Download Via Nscurl - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-06-05 10:22:39 +02:00
pratinavchandra 9bfe3d6e62 Merge PR #4865 from @pratinavchandra - Add new rules related to "tmutil" potential abuse 
new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
new: Time Machine Backup Disabled Via Tmutil - MacOS
new: New File Exclusion Added To Time Machine Via Tmutil - MacOS

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-31 12:52:55 +02:00
pratinavchandra 6a5cf5c37c Merge PR #4785 from @pratinavchandra - add System Information Discovery Via Sysctl - MacOS 
new: System Information Discovery Via Sysctl - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 18:05:09 +02:00
pratinavchandra 2837671f38 Merge PR #4782 from @pratinavchandra - Add Launch Agent/Daemon Execution Via Launchctl 
new: Launch Agent/Daemon Execution Via Launchctl 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 16:55:33 +02:00
pratinavchandra e1a713d264 Merge PR #4823 from @pratinavchandra - Update CLI flag for Gatekeeper Bypass via Xattr 
update: Gatekeeper Bypass via Xattr - Update command line flag 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-04-19 11:10:38 +02:00
Josh 68511f711f Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity 
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-15 21:41:29 +01:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
Stephen Lincoln e62c700822 Merge PR #4649 from @slincoln-aiq - System Information Discovery Using System_Profiler 
new: System Information Discovery Using System_Profiler

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 14:29:49 +01:00
Stephen Lincoln 2abda43af9 Merge PR #4645 from @slincoln-aiq - Update: System Information Discovery Using Ioreg 
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-01-10 14:00:01 +01:00
jstnk9 1e37964530 Merge PR #4640 from @jstnk9 - Add new rules related to System Integrity Protection (SIP) enumeration and tamper 
new: System Integrity Protection (SIP) Enumeration
new: System Integrity Protection (SIP) Disabled 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 13:36:06 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
jstnk9 3bb3b9cb5b Merge PR #4615 from @jstnk9 - Update WMIC Discovery Rule + New System Discovery Rules For MacOS 
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: Potential Base64 Decoded From Images
new: System Information Discovery Via Wmic.EXE
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-21 11:09:47 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
phantinuss 2a2db295ce Merge pull request #4155 from D4rkCiph3r/patch-5 
Update proc_creation_macos_add_to_admin_group.yml
 2023-08-23 08:57:45 +02:00
phantinuss ea5db35a52 Merge pull request #4127 from D4rkCiph3r/in-memory-payload 
Create proc_creation_macos_in-memory_payload_transfer.yml
 2023-08-23 08:57:23 +02:00
Nasreddine Bencherchali d53f063141 feat: update metadata 2023-08-22 18:22:05 +02:00
Nasreddine Bencherchali 32800437c9 Update proc_creation_macos_dseditgroup_add_to_admin_group.yml 2023-08-22 17:55:17 +02:00
Nasreddine Bencherchali 0f1f792ef9 chore: split rules 2023-08-22 17:48:06 +02:00
Nasreddine Bencherchali 68f843ce2c Merge pull request #4300 from gr00T0x/jamf 
feat: add rules related to jamf usage and potential abuse
 2023-08-22 15:38:35 +02:00
Nasreddine Bencherchali 7881df8591 Merge pull request #4055 from D4rkCiph3r/root_enable 
feat: add new to enable root account via dsenableroot
 2023-08-22 15:10:26 +02:00
Nasreddine Bencherchali ae71649ff5 Update rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml 2023-08-22 15:09:42 +02:00
phantinuss 785ea520dd fix: wording 2023-08-22 14:56:25 +02:00
phantinuss 9cb0c4d1ac fix: wording 2023-08-22 14:55:30 +02:00
Nasreddine Bencherchali b14769e684 feat: update metadata & logic 2023-08-22 14:34:20 +02:00
Nasreddine Bencherchali 4e75c3b2dc feat: update detection & metadata 2023-08-22 13:51:14 +02:00
gr00t fe26aabf6a Update proc_creation_macos_usage_of_jamf.yml 2023-06-08 12:43:54 +01:00
gr00t 97cb0ad683 Create proc_creation_macos_usage_of_jamf.yml 2023-06-07 16:46:36 +01:00
D4rkCiph3r e32b39d855 feat: new macos rule Suspicious Browser Child Process (#4053) 2023-04-05 14:58:09 +02:00
D4rkCiph3r 5d1130262f feat: new rule proc_creation_macos_suspicious_applet_behaviour.yml (#4126) 2023-04-03 12:27:17 +02:00
D4rkCiph3r 3662498137 Update proc_creation_macos_add_to_admin_group.yml 2023-03-30 11:34:38 +05:30
D4rkCiph3r 401c147f70 Update proc_creation_macos_enable_root_account.yml 2023-03-30 11:33:57 +05:30