security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,702 Commits 1 Branch 57 Tags
2952d630a413a820fcd8b6033dbc14ac3566e554
Commit Graph

874 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 5656c48a97 Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field 
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
 2025-12-08 16:03:55 +01:00
Seth Hanford 5f57f9e816 Merge PR #5766 from @SethHanford - Update Potential Container Discovery Via Inodes Listing 
update: Potential Container Discovery Via Inodes Listing - replace contains globbing with more correct patterns using regex

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-11-25 16:29:32 +01:00
EzLucky 66e091c08c Merge PR #5770 from @EzLucky - Update MITRE Attack mapping for Linux Capabilities Discovery 
chore: update mitre att&ck tag

---------

Co-authored-by: nasbench <monsteroffire2@gmail.com>
 2025-11-25 16:23:51 +01:00
Nasreddine Bencherchali 2cb7375c6b Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links 
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data

---------

Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-11-25 16:00:53 +01:00
Kostas 5a2885c310 Merge PR #5627 from @tsale - Filename with Embedded Base64 Commands 
new: Suspicious Filename with Embedded Base64 Commands
new: Potentially Suspicious Long Filename Pattern - Linux

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2025-11-24 15:33:42 +01:00
Nasreddine Bencherchali 9d58e38bbc Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field 
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
 2025-11-24 09:54:29 +01:00
Swachchhanda Shrawan Poudel c6fcff5cff Merge PR #5740 from @swachchhanda000 - chore: reorganize threat specific rules into rules-emerging-threats directory 
chore: reorganize threat specific rules into rules-emerging-threats directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-11-10 12:00:08 +01:00
Milad Cheraghi 2d32b91bce Merge PR #5661 from @CheraghiMilad - Update ASLR Disabled Via Sysctl or Direct Syscall 
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-10-29 01:43:27 +01:00
Vladan Sekulic e40fc91954 Merge PR #5600 from @vl43den - Add Syslog Clearing or Removal Via System Utilities 
new: Syslog Clearing or Removal Via System Utilities

---------

Co-authored-by: Nasreddine Bencherchali
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-28 22:49:32 +01:00
Mohamed LAKRI d0c23170de Merge PR #5079 from @mlakri - Add 2 new linux rules 
new: Audit Rules Deleted Via Auditctl
new: Python WebServer Execution - Linux

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-28 22:45:53 +01:00
Milad Cheraghi 875dee72f4 Merge PR #5634 from @CheraghiMilad - Add Kaspersky Endpoint Security Stopped Via CommandLine - Linux 
new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-10-28 22:34:26 +01:00
phantinuss c8075cab6b chore: ci: bump validator version (#5722) 
chore: ci: bump validator version
chore: add missing tags

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-23 15:43:47 +02:00
RobertN87 f69ac5c345 Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules 
chore: add missing MITRE tactics for 2 rules
 2025-10-21 20:17:56 +02:00
Milad Cheraghi ac1137183f Merge PR #5090 from @CheraghiMilad - add rule for impair system power settings 
new: Mask System Power Settings Via Systemctl

---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-20 08:24:44 +05:45
Swachchhanda Shrawan Poudel 208fee50a0 Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack 
new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
 2025-10-19 07:28:08 +05:45
Swachchhanda Shrawan Poudel f4e9d5f3c4 Merge PR #5671 from @swachchhanda000 - feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability 
new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Linux Sudo Chroot Execution
---------


Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-19 07:21:26 +05:45
Swachchhanda Shrawan Poudel de97c83224 Merge PR #5533 from @swachchhanda000 - fix: github reported issues 
new: AWS IAM user with Console Access Login Without MFA (#5074)
new: Suspicious BitLocker Access Agent Update Utility Execution (#5502)
new: BaaUpdate.exe Suspicious DLL Load
update: Suspicious C2 Activities - update definition (#5142)
fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171)
fix: WannaCry Ransomware Activity - remove generic indicators (#5131)
fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529)
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-18 07:07:22 +05:45
Vladan Sekulic 84425b8889 Merge PR #5677 from @vl43den - Modify System Firewall - add nftables delete/flush 
update: Modify System Firewall - add nftables delete/flush

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-17 11:56:55 +02:00
Nasreddine Bencherchali 15b9599eb0 Change alert level from high to medium 2025-08-29 10:34:46 +02:00
swachchhanda000 4ba778f030 fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder 2025-08-08 15:01:07 +05:45
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
hashdr1ft 8fd6a5167d Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget 
new: Suspicious Download and Execute Pattern via Curl/Wget

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 12:48:57 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00
phantinuss 39537caa0d Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern 
fix: Hidden Files and Directories - reduce FP matching with regex pattern
 2025-06-24 10:35:56 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Milad Cheraghi ff60fa5f91 Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall 
new: System Info Discovery via Sysinfo Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:53:57 +02:00
Milad Cheraghi 4c8e709469 Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall 
new: Special File Creation via Mknod Syscall

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:27:24 +02:00
phantinuss 298e18c9c2 Merge PR #5467 from @phantinuss - use syscall names instead of ids 
the integration pipeline or the rule consumer has to take care of the mapping

update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
 2025-06-05 13:25:58 +02:00
Milad Cheraghi 0f4572c9ac Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key 
update: Webshell Remote Command Execution - add execveat and match on euid instead of key

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:22:24 +02:00
Milad Cheraghi 2fda33e611 Merge PR #5461 from @CheraghiMilad - add uname 
update: System Owner or User Discovery - Linux - add uname

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:20:16 +02:00
Milad Cheraghi 6509b21b82 Merge PR #5462 from @CheraghiMilad - add text output tools 
update: Local Groups Discovery - Linux - add text output tools

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:19:27 +02:00
Milad Cheraghi 0627225cab Merge PR #5463 from @CheraghiMilad - add more text output tools (#5463) 
update: Access of Sudoers File Content - add more tools

---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:19:04 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
Milad Cheraghi ad1bfd3d28 Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs 
new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 14:24:43 +02:00
Milad Cheraghi a5e070fc9d Merge PR #5441 from @CheraghiMilad - chore: update reference 
chore: Disable ASLR Via Personality Syscall - Linux - update reference for PoC

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-31 14:08:26 +02:00
Milad Cheraghi 5a1e44c525 Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key 
new: Potential Abuse of Linux Magic System Request Key
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 13:12:25 +02:00
Milad Cheraghi 9ebd94a00a Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux 
new: Disable ASLR Via Personality Syscall - Linux
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-28 13:29:58 +02:00
Milad Cheraghi 304b019212 Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
Create Release / Create Release (push) Has been cancelled
Details 
update: Audio Capture - add ecasound detection

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-21 09:10:51 +02:00
Koifman b0481bea13 Merge PR #5393 from @Koifman - Update VMware rules for MITREv17 
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17

---------

Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-21 08:39:49 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
github-actions[bot] 29ad6f9617 Merge PR #5249 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:35 +02:00
Florian Roth 357838c404 Merge PR #5237 from @Neo23x0 - Update Buffer Overflow Attempts 
update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
 2025-04-07 11:08:55 +02:00
Milad Cheraghi a719612ab8 Merge PR #5098 from @CheraghiMilad - Update Service Reload or Start - Linux 
update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:50:23 +01:00
github-actions[bot] 64852d95a9 Merge PR #5216 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:27 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
frack113 a99b163c93 Merge PR #5166 from @frack113 - Fix Privileged User Has Been Created 
fix: Privileged User Has Been Created - Add missing comma to avoid false positives
 2025-01-22 22:30:58 +01:00