blue-team-tools

Author	SHA1	Message	Date
Tom Kluter	c8f207d390	Merge PR #5409 from @Luke57 - Add New Google Workspace Related Rules new: Google Workspace Government Attack Warning new: Google Workspace Out Of Domain Email Forwarding new: Suspicious Login Activity Classified By Google --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2026-04-28 02:48:14 +02:00
Swachchhanda Shrawan Poudel	77f4b0b2ec	Merge PR #5741 from @swachchhanda000 - Add Splunk Rules for MSIX/AppX new: Successful MSIX/AppX Package Installation new: Windows AppX Deployment Full Trust Package Installation new: Windows AppX Deployment Unsigned Package Installation new: Windows MSIX Package Support Framework AI_STUBS Execution --------- Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>	2026-01-24 17:04:41 +01:00
Nasreddine Bencherchali	5656c48a97	Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field chore: rename auditd folders and others update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs	2025-12-08 16:03:55 +01:00
Swachchhanda Shrawan Poudel	64ba98e044	Merge PR #5662 from @swachchhanda000 - Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy --------- Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com.>	2025-11-21 13:06:30 +05:45
InTheCyber	4dfbd6b713	Merge PR #5197 from @inthecyber - Add new Fortinet Fortigate rules new: FortiGate - New Administrator Account Created new: FortiGate - Firewall Address Object Added new: FortiGate - New Firewall Policy Added new: FortiGate - New Local User Created new: FortiGate - New VPN SSL Web Portal Added new: FortiGate - User Group Modified new: FortiGate - VPN SSL Settings Modified --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Tommaso Tosi <tommaso.tosi@inthecyber.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2025-11-02 00:06:27 +01:00
mm-abdelghani	c470105fbf	Merge PR #5686 from @mm-abdelghani - Unsigned or Unencrypted SMB Connection to Share Established new: Unsigned or Unencrypted SMB Connection to Share Established --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2025-10-23 13:43:15 +02:00
Andreas Braathen	35d80c39bd	Merge PR #5175 from @netgrain - Add `WDAC Policy File Creation In CodeIntegrity Folder` new: WDAC Policy File Creation In CodeIntegrity Folder --------- Co-authored-by: Andreas Braathen <andreasb@mnemonic.io> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>	2025-09-22 11:48:53 +02:00
Swachchhanda Shrawan Poudel	73ce21b574	Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs new: Potential SAP NetViewer Webshell Command Execution new: Potential Java WebShell Upload in SAP NetViewer Server chore: unpin pySigma validator version --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <nasbench@users.noreply.github.com>	2025-06-11 11:28:24 +02:00
$frack113$ frack113	c70fff4b8b	Merge PR #4935 from @frack113 - Add new IIS logsource and related rules chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml new: ETW Logging/Processing Option Disabled On IIS Server new: HTTP Logging Disabled On IIS Server new: New Module Module Added To IIS Server new: Previously Installed IIS Module Was Removed --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-10-06 22:44:05 +02:00
Josh	0192a5207e	Merge PR #4839 from @joshnck - Add `New RDP Connection Initiated From Domain Controller` new: New RDP Connection Initiated From Domain Controller --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-05-10 16:32:09 +02:00
Andreas Braathen	2ef1a3b096	Merge PR #4825 from @netgrain - New analytic for CVE-2024-3400 new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-04-25 14:46:07 +02:00
Nasreddine Bencherchali	b349447e7d	Merge PR #4826 from @nasbench - Add coverage for CVE-2024-3400 new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2024-04-24 14:59:24 +02:00
nikitah4x	5b4bfd6ffd	Merge PR #4814 from @nikitah4x - Add new rule to detect MFA bypass in Cisco Duo new: Cisco Duo Successful MFA Authentication Via Bypass Code --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-04-17 12:28:38 +02:00
Leo Tsaousis	0d63f52ff5	Merge PR #4694 from @LAripping - Add native Kubernetes detections new: Container With A hostPath Mount Created new: Creation Of Pod In System Namespace new: Deployment Deleted From Kubernetes Cluster new: Kubernetes Events Deleted new: Kubernetes Secrets Enumeration new: New Kubernetes Service Account Created new: Potential Remote Command Execution In Pod Container new: Potential Sidecar Injection Into Running Deployment new: Privileged Container Deployed new: RBAC Permission Enumeration Attempt --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-03-26 18:26:46 +01:00
Josh Brower	eac04262c2	Merge PR #4695 from @defensivedepth - Add new rules based on OpenCanary tooling new: OpenCanary - FTP Login Attempt new: OpenCanary - GIT Clone Request new: OpenCanary - HTTP GET Request new: OpenCanary - HTTP POST Login Attempt new: OpenCanary - HTTPPROXY Login Attempt new: OpenCanary - MSSQL Login Attempt Via SQLAuth new: OpenCanary - MSSQL Login Attempt Via Windows Authentication new: OpenCanary - MySQL Login Attempt new: OpenCanary - NTP Monlist Request new: OpenCanary - REDIS Action Command Attempt new: OpenCanary - SIP Request new: OpenCanary - SMB File Open Request new: OpenCanary - SNMP OID Request new: OpenCanary - SSH Login Attempt new: OpenCanary - SSH New Connection Attempt new: OpenCanary - Telnet Login Attempt new: OpenCanary - TFTP Request new: OpenCanary - VNC Connection Attempt --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-03-08 16:24:19 +01:00
z00t	dbdf7f2424	Merge PR #4737 from @faisalusuf - Add New Bitbucket Related Rules new: Bitbucket Full Data Export Triggered new: Bitbucket Global Permission Changed new: Bitbucket Global Secret Scanning Rule Deleted new: Bitbucket Global SSH Settings Changed new: Bitbucket Audit Log Configuration Updated new: Bitbucket Project Secret Scanning Allowlist Added new: Bitbucket Secret Scanning Exempt Repository Added new: Bitbucket Secret Scanning Rule Deleted new: Bitbucket Unauthorized Access To A Resource new: Bitbucket Unauthorized Full Data Export Triggered new: Bitbucket User Details Export Attempt Detected new: Bitbucket User Login Failure new: Bitbucket User Login Failure Via SSH new: Bitbucket User Permissions Export Attempt --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-02-26 21:07:58 +01:00
jstnk9	5fac8cb7df	Merge PR #4692 from @jstnk9 - Add new rules related to IExpress abuse new: New Self Extracting Package Created Via IExpress.EXE new: Self Extraction Directive File Created In Potentially Suspicious Location new: Potentially Suspicious Self Extraction Directive File Created new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2024-02-08 16:57:23 +01:00
Douglas Rose	a572fc50b5	Merge PR #4714 from @douglasrose75 - Add Rule Covering Exploitation Indicators For CVE 2022-42475 new: Exploitation Indicator Of CVE-2022-42475 --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2024-02-08 16:30:44 +01:00
Andreas Braathen	ea4d6095a0	Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-11-06 14:10:52 +01:00
$frack113$ frack113	271f972468	Merge PR #4538 from @frack113 - Add Sigma CLI Configuration File chore: add sigma-cli configuration file fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>	2023-11-03 16:59:53 +01:00
ts-lbf	f928fcb936	Merge PR #4497 from @ts-lbf - New Rule Related To CVE-2023-20198 Exploitation new: Exploitation Indicators Of CVE-2023-20198 --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>	2023-10-23 19:36:26 +02:00
Nasreddine Bencherchali	7364ce00b1	Merge PR #4476 from @nasbench - re-organize cloud folder and other things fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules fix: Google Workspace Application Removed - Update logsource product field to `gcp` fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp` fix: Google Workspace MFA Disabled - Update logsource product field to `gcp` fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp` fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp` fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`	2023-10-12 13:32:24 +02:00
cyb3rjy0t	229b70f68a	Merge PR #4401 from @cyb3rjy0t - Add New O365 Related Rules new: Disabling Multi Factor Authenication new: New Federated Domain Added update: New Federated Domain Added - Exchange --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2023-09-18 19:30:16 +02:00
Mark Morowczynski	f28b89c084	Merge PR #4445 from @MarkMorow - New Azure PIM Rules new: Stale Accounts In A Privileged Role new: Invalid PIM License new: Roles Assigned Outside PIM new: Roles Activated Too Frequently new: Roles Activation Doesn't Require MFA new: Roles Are Not Being Used new: Too Many Global Admins --------- Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>	2023-09-14 22:02:30 +02:00
Nasreddine Bencherchali	67d0d2afff	chore: change service name to lowercase	2023-08-08 15:41:08 +02:00
$frack113$ frack113	a66b38d3df	Fix to pass the tests	2023-08-08 06:47:08 +02:00
Nasreddine Bencherchali	de9f3a3521	feat: update logsource and rule - Add 2 new event log - Microsoft-Windows-CAPI2/Operational - Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational - Update required tests and rules	2023-05-19 00:05:05 +02:00
$frack113$ frack113	c1a9712558	Review Web logsource	2023-05-08 11:04:16 +02:00
Nasreddine Bencherchali	2710bf4710	feat: new rules, updates and fp fixes (#4162 )	2023-04-11 13:04:22 +02:00
Moti-H	ff4242dadd	feat: add new application vulnerability rules (#4034 )	2023-02-15 12:29:53 +01:00
$frack113$ frack113	2bd14e4953	Small update - Change service to audit - Add operation	2023-01-22 08:55:24 +01:00
Nasreddine Bencherchali	5416935cec	feat: update logsource with new service	2023-01-21 11:33:48 +01:00
Nasreddine Bencherchali	1c340493c6	fix: broken logsource	2023-01-17 01:13:50 +01:00
Nasreddine Bencherchali	e5fe4d5f46	feat: update config files - Update indentation of config files to 4 - Add new event logs	2023-01-17 01:00:24 +01:00
$frack113$ frack113	2b0b680775	Merge pull request #3925 from frack113/lsa-server Microsoft-Windows-LSA	2023-01-13 18:24:43 +01:00
Nasreddine Bencherchali	c7f1f52b7b	fix: apply suggestions from code review	2023-01-13 18:19:32 +01:00
$frack113$ frack113	deeac89f36	Add lsa-server	2023-01-13 17:56:02 +01:00
$frack113$ frack113	2be462d2cf	Add UserName for taskscheduler	2023-01-13 13:13:53 +01:00
Nasreddine Bencherchali	debd658aac	feat: new rules related to appx packages	2023-01-11 23:04:37 +01:00
$frack113$ frack113	fbae1f3055	Merge pull request #3889 from frack113/iso_evtx Add win_vhdmp_mount_iso.yml	2023-01-11 18:05:50 +01:00
$frack113$ frack113	5cff2d2b3f	Update logsource.json	2023-01-10 21:53:35 +01:00
$frack113$ frack113	9b550f6858	Add win_vhdmp_mount_iso	2023-01-09 10:19:41 +01:00
$frack113$ frack113	d6059d801b	Filename normalisation	2023-01-07 08:52:11 +01:00
$frack113$ frack113	ed1a91b53f	remove duplicate value	2023-01-04 19:42:16 +01:00
$frack113$ frack113	7d5fb8db30	update logsource	2023-01-04 19:36:37 +01:00
$frack113$ frack113	756a248032	update logsource	2023-01-04 18:52:24 +01:00
Nasreddine Bencherchali	3bd12552bb	feat: add bitlocker channel	2023-01-02 22:19:32 +01:00
$frack113$ frack113	c62d624892	Use W3C cs-uri-query	2023-01-02 18:56:34 +01:00
$frack113$ frack113	41c850e00b	Use W3C cs-uri-query	2023-01-02 18:45:50 +01:00
$frack113$ frack113	a1a94a0b66	Update W3C field name	2023-01-02 16:39:55 +01:00

1 2

56 Commits