security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,766 Commits 1 Branch 57 Tags
3a0fbc4bfa4b88f41492ed687e0ad2e1b9acbe65
Commit Graph

237 Commits

Author SHA1 Message Date
Mostafa Moradian f627ff2270 Merge PR #5964 from @mostafa - Update Okta Rules to use CamelCase fields 
update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
 2026-04-27 21:55:40 +02:00
Florian Roth 7fc53c563e Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder 
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Thanks: @marius-benthin
 2026-04-01 13:55:12 +02:00
Swachchhanda Shrawan Poudel 4bb5637b23 Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules 
new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
new: LiteLLM / TeamPCP Supply Chain Attack Indicators

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-01 13:11:45 +02:00
Swachchhanda Shrawan Poudel 71f1120dc6 Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules 
new: Axios NPM Compromise File Creation Indicators - Linux
new: Axios NPM Compromise File Creation Indicators - MacOS
new: Axios NPM Compromise File Creation Indicators - Windows
new: Axios NPM Compromise Malicious C2 Domain DNS Query
new: Axios NPM Compromise Indicators - Linux
new: Axios NPM Compromise Indicators - MacOS
new: Axios NPM Compromise Indicators - Windows

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-01 12:31:31 +02:00
Swachchhanda Shrawan Poudel 56a58e1ee6 Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules 
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-03-29 14:58:59 +02:00
Swachchhanda Shrawan Poudel 14d11fdda7 Merge PR from @swachchhanda000 - SolarWinds WebHelpDesk RCE Vulnerabilites Exploitation 
new: Suspicious Child Process of SolarWinds WebHelpDesk

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-02-13 07:21:03 +05:45
Swachchhanda Shrawan Poudel 13aae8c1ea Merge PR #5795 from @swachchhanda000 - Add new rules for CVE-2025-55182 / React2Shell 
new: Windows Suspicious Child Process From Node.js - React2Shell
new: Linux Suspicious Child Process From Node.js - React2Shell

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-12-10 03:13:14 +01:00
YxinMiracle 238e6f070f Merge PR #5707 from @YxinMiracle - Add Grixba Malware Reconnaissance Activity 
new: Grixba Malware Reconnaissance Activity
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2025-11-27 22:36:53 +01:00
Nasreddine Bencherchali 9d58e38bbc Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field 
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
 2025-11-24 09:54:29 +01:00
JasonPhang98 bbbfb67ab0 Merge PR #5669 from @JasonPhang98 - Extend Atomic MacOS Stealer - FileGrabber Rules 
remove: Atomic MacOS Stealer - FileGrabber Infostealer Execution - deprecate in favor of e710a880-1f18-4417-b6a0-b5afdf7e33da
new: Atomic MacOS Stealer - Persistence Indicators
new: Atomic MacOS Stealer - FileGrabber Activity

---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-11-24 08:37:52 +05:45
Swachchhanda Shrawan Poudel 64ba98e044 Merge PR #5662 from @swachchhanda000 - Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) 
new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy
---------

Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com.>
 2025-11-21 13:06:30 +05:45
Swachchhanda Shrawan Poudel 47171af68a Merge PR #5601 from @swachchhanda000 - fix: add filters on registry rules 
fix: Potential Ursnif Malware Activity - Registry - add specific registry key
fix: Common Autorun Keys Modification - filter null
fix: CurrentVersion NT Autorun Keys Modification - filter null and poqexec.exe
fix: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification - filter null
 2025-11-13 09:55:26 +05:45
Seth Hanford 799acec38b Merge PR #5742 from @SethHanford - fix problematic regex with OR condition 
fix: Potential Dtrack RAT Activity - fix problematic regex with 'OR' condition

---------

Co-authored-by: Seth Hanford <SethHanford@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-11-12 18:23:23 +05:45
Swachchhanda Shrawan Poudel c6fcff5cff Merge PR #5740 from @swachchhanda000 - chore: reorganize threat specific rules into rules-emerging-threats directory 
chore: reorganize threat specific rules into rules-emerging-threats directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-11-10 12:00:08 +01:00
Swachchhanda Shrawan Poudel b65441821c Merge PR #5731 from @swachchhanda000 - Add rules for CVE-2025-59287 
new: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
new: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization

---------

Signed-off-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali
 2025-11-02 00:20:51 +01:00
Nasreddine Bencherchali a77d3bae4b Merge PR #5708 from @nasbench - Multiple updates and issue fixes
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Details
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Details
Create Release / Create Release (push) Waiting to run
Details
Sigma Rule Tests / yamllint (push) Waiting to run
Details
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Details
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Details
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Details
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
Details 
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script


---------

Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-29 11:45:19 +01:00
phantinuss c8075cab6b chore: ci: bump validator version (#5722) 
chore: ci: bump validator version
chore: add missing tags

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-23 15:43:47 +02:00
Swachchhanda Shrawan Poudel ff645332d4 Merge PR #5712 from @swachchhanda000 - fix: rules for blackByte ransomware and wce detection 
update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage

---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
 2025-10-23 09:07:48 +05:45
Swachchhanda Shrawan Poudel a532ddb638 Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities 
new - Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
new - Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
new - Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
new - Suspicious File Write to Webapps Root Directory
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-20 08:52:44 +05:45
Swachchhanda Shrawan Poudel 0e82a90eb5 Merge PR #5680 from @swachchhanda000 - feat: add detection for CVE-2025-10035 exploit in GoAnywhere MFT 
new: Potential Exploitation of GoAnywhere MFT vulnerability
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-20 08:16:29 +05:45
Swachchhanda Shrawan Poudel 208fee50a0 Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack 
new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
 2025-10-19 07:28:08 +05:45
Swachchhanda Shrawan Poudel f4e9d5f3c4 Merge PR #5671 from @swachchhanda000 - feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability 
new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Linux Sudo Chroot Execution
---------


Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-19 07:21:26 +05:45
Djordje Lukic afc36cbb4e Merge PR #5691 from @djlukic - Adding RemoteAddress field for Windows Server coverage 
fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-18 07:53:56 +05:45
Swachchhanda Shrawan Poudel de97c83224 Merge PR #5533 from @swachchhanda000 - fix: github reported issues 
new: AWS IAM user with Console Access Login Without MFA (#5074)
new: Suspicious BitLocker Access Agent Update Utility Execution (#5502)
new: BaaUpdate.exe Suspicious DLL Load
update: Suspicious C2 Activities - update definition (#5142)
fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171)
fix: WannaCry Ransomware Activity - remove generic indicators (#5131)
fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529)
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-18 07:07:22 +05:45
Swachchhanda Shrawan Poudel aecbc1563c Merge PR #5387 from @swachchhanda000 - SAP NetWeaver Webshell 
new: Potential SAP NetWeaver Webshell Creation - Linux
new: Potential SAP NetWeaver Webshell Creation
new: Suspicious Child Process of SAP NetWeaver - Linux
new: Suspicious Child Process of SAP NetWeaver
 2025-10-01 12:57:42 +02:00
Florian Roth ab61898690 Merge PR #5602 from @Neo23x0 - FPs with mknod 
fix: UNC4841 - Barracuda ESG Exploitation Indicators - FPs with mknod on Linux systems
 2025-10-01 11:28:58 +02:00
JasonPhang98 c9fd8a6665 Merge PR #5647 from @ JasonPhang98 - MacOS FileGrabber Infostealer 
new: MacOS FileGrabber Infostealer
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: swachchhanda000 <swachchhandashrawan@gmail.com>
 2025-10-01 10:13:09 +02:00
Gene Kazimiarovich 0d9c63eb1c Merge PR #5391 from @gkazimiarovich - Suspicious Creation of .library-ms File (CVE-2025-24054) 
new: Suspicious Creation of .library-ms File - Potential CVE-2025-24054 Exploit

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-09-22 12:55:51 +02:00
Nisarg Suthar 042b8dfd0c Merge PR #5576 from @nisargsuthar - CrushFTP RCE vulnerability CVE-2025-54309 
new: CrushFTP RCE vulnerability CVE-2025-54309

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-09-22 12:37:59 +02:00
0xPrashanthSec ac177f15b1 Merge PR #5587 from @0xPrashanthSec - FunkLocker Ransomware File Creation 
new: FunkLocker Ransomware File Creation
---------

Co-authored-by: Prashanth Pulisetti <40313110+prashanthpulisetti@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-09-22 12:37:10 +02:00
phantinuss fe5e698723 Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers" 
chore: this reverts commit 8a2e4c16b9.
 2025-08-28 20:11:57 +02:00
phantinuss 8a2e4c16b9 Merge PR #5628 from @phantinuss - chore: improve windash order in modifiers 
chore: improve windash order in modifiers
 2025-08-26 11:46:36 +02:00
Swachchhanda Shrawan Poudel 7a6c451d6d Merge PR #5543 from @ swachchhanda000 - update toolshell related rules 
update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
new: Suspicious File Write to SharePoint Layouts Directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 14:22:06 +02:00
Swachchhanda Shrawan Poudel 4a8b55818e Merge PR #5537 from @swachchhanda000 - Add CVE-2025-53770 Exploitation Detections 
new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
new: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS

---------

Co-authored-by: nasbench
 2025-07-21 11:34:26 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Swachchhanda Shrawan Poudel 2610f580d8 Merge PR #5500 from @swachchhanda000 - Potential Notepad++ CVE-2025-49144 Exploitation 
new: Potential Notepad++ CVE-2025-49144 Exploitation
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:22:35 +02:00
Swachchhanda Shrawan Poudel 8721fa654c Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability 
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-13 13:30:14 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
frack113 b7908efab9 Merge PR #5473 from @frack113 - chore: add ET and TH tags 
chore: Add emerging-threats tags
chore: Add threat-hunting tags
 2025-06-12 10:21:24 +02:00
Swachchhanda Shrawan Poudel 73ce21b574 Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs 
new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:28:24 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
github-actions[bot] ec827cccb6 Merge PR #5448 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-02 13:29:48 +02:00
Swachchhanda Shrawan Poudel 585bd7d487 Merge PR #5429 from @swachchhanda000 - Katz stealer malware 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:33:24 +02:00
Swachchhanda Shrawan Poudel b9e11ba205 Merge PR #5427 from @swachchhanda000 - Add Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE 
new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-20 23:00:06 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
 2025-05-15 12:17:10 +02:00
Swachchhanda Shrawan Poudel 85fd5958bc Merge PR #5261 from @swachchhanda000 - Add Suspicious CrushFTP Child Process 
new: Suspicious CrushFTP Child Process

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:43:35 +02:00
RG9n 3d17247df5 Merge PR #5263 from @RG9n - Add Suspicious Process Spawned by CentreStack Portal AppPool 
new: Suspicious Process Spawned by CentreStack Portal AppPool

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:56 +02:00
Kostas 07c285ca29 Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules 
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:17 +02:00