34c5d66c22
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
...
chore: update mitre tags to use attack v19
2026-04-29 01:20:23 +02:00
0e3b749e0d
Merge PR #5898 from @FlorianBracq - Set groups in regular expressions as non capturing
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
update: Dynamic .NET Compilation Via Csc.EXE - Update regex to use a non-capturing group
update: Csc.EXE Execution Form Potentially Suspicious Parent - Update regex to use a non-capturing group
update: Invoke-Obfuscation Obfuscated IEX Invocation - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Stdin - Update regex to use a non-capturing group
update: Invoke-Obfuscation Via Use Clip - Update regex to use a non-capturing group
update: Powershell Token Obfuscation - Process Creation - Update regex to use a non-capturing group
update: Potential Rundll32 Execution With DLL Stored In ADS - Update regex to use a non-capturing group
update: Suspicious Copy From or To System Directory - Update regex to use a non-capturing group
update: Obfuscated IP Download Activity - Update regex to use a non-capturing group
update: Obfuscated IP Via CLI - Update regex to use a non-capturing group
update: Uncommon Svchost Command Line Parameter - Update regex to use a non-capturing group
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 12:23:57 +02:00
797bcaebfe
Merge PR #5900 from @swachchhanda000 - Update Important scheduled task manipulation related rules
...
update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
new: System Restore Registry Modification via CommandLine
chore: add regression tests for Important scheduled task manipulation rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 04:00:16 +02:00
7cf06feeea
Merge PR #5859 from @davidljohnson - Update VBS/A related rules
...
update: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Add entry for .wsh files
update: WScript or CScript Dropper - File - Enhance coverage with multiple file paths and extesnions
update: Potentially Suspicious Powershell Script Execution From Temp Folder - Reduce level to medium and enhance metadata
update: Script Interpreter Execution From Suspicious Folder - Add additional file path for coverage and enhance metadata
update: Potential Dropper Script Execution Via WScript/CScript/MSHTA - Add additional file path and extension for coverage and enhance metadata
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2026-04-28 01:37:10 +02:00
66f7ac9a4d
Merge PR #5881 from @Securityinbits - Add Sensitive File Dump Via Print.EXE
...
new: Sensitive File Dump Via Print.EXE
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 01:07:54 +02:00
570200b711
Merge PR #5952 from @Sanskar-bot - Update PowerShell Download Via Net.WebClient - PowerShell Classic
...
update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:30:25 +02:00
81dce222fd
Merge PR #5953 from @Sanskar-bot - Update MITRE Tags for Netcat The Powershell Version
...
chore: update mitre tags for `Netcat The Powershell Version`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:29:22 +02:00
cd26c0a799
Merge PR #5815 from @swachchhanda000 - Update and Add Autologger related rules
...
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:17:40 +02:00
ca8e778476
Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data
...
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:10:09 +02:00
3a0fbc4bfa
Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading
...
new: Potential Vcruntime140 DLL Sideloading
2026-04-27 23:55:25 +02:00
180991bc81
Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules
...
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:43:22 +02:00
1a51d53e9f
Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS
...
new: PUA - Memory Dump Mount Via MemProcFS
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:30:50 +02:00
ff107c3fe1
Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand
...
new: Indirect Command Execution via SFTP ProxyCommand
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:26:12 +02:00
cf9759946f
Merge PR #5399 from @swachchhanda000 - Update LSA PPL Protection Setting Modification via CommandLine
...
update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-24 19:48:55 +02:00
03412947a2
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
...
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 15:02:24 +02:00
c801be9f3d
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
...
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux
---------
Co-authored-by: Hugh <HueCodes@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 14:37:28 +02:00
fc1cf467f4
Merge PR #5905 from @swachchhanda000 - fix: notepad++ gup infrastructure abuse FPs
...
fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
2026-04-21 12:33:55 +02:00
c3ad686ac4
Merge PR #5935 from @swachchhanda000 - Fix Registry Tampering by Potentially Suspicious Processes
...
fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-14 14:49:20 +02:00
d4d12bdd13
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
...
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-01 13:57:31 +02:00
7fc53c563e
Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder
...
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Thanks: @marius-benthin
2026-04-01 13:55:12 +02:00
7031934d17
Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege
...
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-01 13:36:52 +02:00
c6d03adc7b
Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration
...
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
2026-04-01 12:35:29 +02:00
2f84ca2f16
Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules
...
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-03-30 12:27:13 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
a15dbdaa05
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
...
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
2026-03-19 10:26:30 +01:00
b596e1a7d0
Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules
...
remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2026-03-01 04:16:06 +01:00
084204d06a
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
...
new: System Language Discovery via Reg.Exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:55:40 +01:00
5f5e72cff7
Merge PR #5885 from @djlukic - Add New FP Filters
...
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:47:59 +01:00
41c8116d0e
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
...
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:21:29 +01:00
6db81c99bd
Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature
...
new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:12:49 +01:00
086a362b0f
Merge PR #5875 from @Neo23x0 - Fix BloodHound Collection Files
...
fix: BloodHound Collection Files - Remove entry `_domains.json` due to FP rate.
2026-02-28 14:06:13 +01:00
dc3880459d
Merge PR #5863 from @swachchhanda000 - Add finger.exe to related rules
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
2026-02-16 12:50:13 +01:00
76f4a42ebb
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
...
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe
---------
Co-authored-by: nasbench <nbencher@cisco.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-04 12:08:03 +01:00
478120e7d2
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-01-29 12:52:08 +01:00
c6a32d96cf
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
...
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:38:48 +01:00
2022e3b420
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
...
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:37:55 +01:00
e77233ab2f
Merge PR #5824 from @swachchhanda000 - Update User Shell Folders Registry Modification Rules
...
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
2026-01-29 12:23:46 +01:00
a4ddc7a414
Merge PR #5842 from @swachchhanda000 - chore: update thor.yml with missing file_change category
...
chore: update thor.yml with missing file_change category
2026-01-29 09:25:27 +01:00
3d8c650ba2
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
...
new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
new: Windows Vulnerable Driver Blocklist Disabled
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 23:53:42 +01:00
092b852af3
Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets
...
new: Cmd Launched with Hidden Start Flags to Suspicious Targets
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 20:02:52 +01:00
d5188c36a1
Merge PR #5487 from @swachchhanda000 - Update Registry Shell Open Related Rules
...
update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
new: Suspicious Shell Open Command Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 18:54:59 +01:00
77f4b0b2ec
Merge PR #5741 from @swachchhanda000 - Add Splunk Rules for MSIX/AppX
...
new: Successful MSIX/AppX Package Installation
new: Windows AppX Deployment Full Trust Package Installation
new: Windows AppX Deployment Unsigned Package Installation
new: Windows MSIX Package Support Framework AI_STUBS Execution
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 17:04:41 +01:00
30aebbb65c
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
...
new: PUA - Kernel Driver Utility (KDU) Execution
new: Devcon Execution Disabling VMware VMCI Device
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:36:29 +01:00
ad3a650641
Merge PR #5476 from @swachchhanda000 - Update SquiblyTwo Related Rules
...
update: WMIC Loading Scripting Libraries - Update metadata
update: Potential SquiblyTwo Technique Execution - Extend coverage for remote execution
update: XSL Script Execution Via WMIC.EXE - Filter out remote execution parameters to avoid duplicate alerting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:25:13 +01:00
222a2e2992
Merge PR #5749 from @swachchhanda000 - Update Phantom DLL hijacking Rules
...
update: Creation Of Non-Existent System DLL - Add new DLLs and update metadata
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add new DLLs and update metadata
new: Registry Modification for OCI DLL Redirection
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:04:15 +01:00
c8b1a0ff67
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
...
update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
b61d83beef
Merge PR #5790 from @nasbench - Metadata Updates
...
chore: update metadata of many rules
update: AppX Located in Uncommon Directory Added to Deployment Pipeline - Enhance selection criteria
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-24 17:50:21 +01:00
2952d630a4
Merge PR #5774 from @mbabinski - Added rules related to ArcGIS Server Object Extension abuse
...
new: Suspicious File Created by ArcSOC.exe
new: Suspicious ArcSOC.exe Child Process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-12-21 18:07:30 +01:00
685194383b
Merge PR #5804 from @swachchhanda000 - enhance rules related with file download from file sharing websites
...
update: Suspicious Remote AppX Package Locations - add github.com
update: BITS Transfer Job Download From File Sharing Domains - add github.com
update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
update: Unusual File Download From File Sharing Websites - File Stream - add github.com
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
2025-12-12 08:04:27 +05:45
c5b881019a
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
...
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-10 15:29:38 +01:00
Nasreddine Bencherchali