3a20687cad
Merge PR #5738 from @nasbench - rename folders and update readme
...
chore: rename folders and update readme
2025-11-03 10:35:44 +01:00
b65441821c
Merge PR #5731 from @swachchhanda000 - Add rules for CVE-2025-59287
...
new: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
new: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
---------
Signed-off-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali
2025-11-02 00:20:51 +01:00
941f2e9df4
Merge PR #5734 from @phantinuss - Update ATT&CK Heatmap Coverage
...
chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-11-02 00:16:18 +01:00
38a32c569d
Merge PR #5735 from @nasbench - Update deprecated csv
...
chore: update deprecated.csv and deprecated.json
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-11-02 00:12:28 +01:00
25710bbb76
Merge PR #5737 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-11-02 00:10:54 +01:00
4dfbd6b713
Merge PR #5197 from @inthecyber - Add new Fortinet Fortigate rules
...
new: FortiGate - New Administrator Account Created
new: FortiGate - Firewall Address Object Added
new: FortiGate - New Firewall Policy Added
new: FortiGate - New Local User Created
new: FortiGate - New VPN SSL Web Portal Added
new: FortiGate - User Group Modified
new: FortiGate - VPN SSL Settings Modified
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Tommaso Tosi <tommaso.tosi@inthecyber.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-11-02 00:06:27 +01:00
a77d3bae4b
Merge PR #5708 from @nasbench - Multiple updates and issue fixes
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script
---------
Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-29 11:45:19 +01:00
02f7843bcf
Merge PR #5720 from @nasbench - Add Suspicious Speech Runtime Binary Child Process
...
Thanks: BIitzkrieg
2025-10-29 11:41:51 +01:00
6560a6cc20
Merge PR #5711 from @swachchhanda000 - Add PUA - AWS TruffleHog Execution
...
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-10-29 11:40:20 +01:00
24f411b879
Merge PR #5706 from @swachchhanda000 - update PFX File Creation
...
update: PFX File Creation - Enhance filters, metadata and logic
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-29 09:52:39 +01:00
bd21aec1e4
Merge PR #5604 from @Liran017 - Add new winrs related rules
...
new: Winrs Local Command Execution
new: Potential Lateral Movement via Windows Remote Shell
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-29 02:01:36 +01:00
2d32b91bce
Merge PR #5661 from @CheraghiMilad - Update ASLR Disabled Via Sysctl or Direct Syscall
...
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-29 01:43:27 +01:00
e40fc91954
Merge PR #5600 from @vl43den - Add Syslog Clearing or Removal Via System Utilities
...
new: Syslog Clearing or Removal Via System Utilities
---------
Co-authored-by: Nasreddine Bencherchali
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 22:49:32 +01:00
d0c23170de
Merge PR #5079 from @mlakri - Add 2 new linux rules
...
new: Audit Rules Deleted Via Auditctl
new: Python WebServer Execution - Linux
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 22:45:53 +01:00
875dee72f4
Merge PR #5634 from @CheraghiMilad - Add Kaspersky Endpoint Security Stopped Via CommandLine - Linux
...
new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-10-28 22:34:26 +01:00
6f9ccb34f8
Merge PR #5180 from @frack113 - Add Potential Executable Run Itself As Sacrificial Process
...
new: Potential Executable Run Itself As Sacrificial Process
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 22:22:13 +01:00
0738e34329
Merge PR #5193 from @toopricey - Add AWS KMS Imported Key Material Usage
...
new: AWS KMS Imported Key Material Usage
---------
Co-authored-by: Nasreddine Bencherchali
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-10-28 22:13:17 +01:00
8c79d0a77b
Merge PR #5018 from @saakovv - Add 2 New GitHub Rules
...
new: GitHub Repository Pages Site Changed to Public
new: GitHub Repository Archive Status Changed
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 01:03:23 +01:00
291c131314
Merge PR #5220 from @netgrain - Add File Access Of Signal Desktop Sensitive Data
...
new: File Access Of Signal Desktop Sensitive Data
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-28 01:00:06 +01:00
7c001b64d1
Merge PR #5111 from @frack113 - Add WFP Filter Added via Registry
...
new: WFP Filter Added via Registry
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 00:56:21 +01:00
309bd61b42
Merge PR #5726 from @phantinuss - chore: ci: add merge_group trigger to CI jobs
...
chore: ci: add merge_group trigger to CI jobs
2025-10-27 12:58:32 +01:00
7d7dd4f863
Merge PR #5713 from @swachchhanda000 - PUA - Restic Backup Tool Execution
...
new: PUA - Restic Backup Tool Execution
2025-10-24 12:58:38 +02:00
c8075cab6b
chore: ci: bump validator version ( #5722 )
...
chore: ci: bump validator version
chore: add missing tags
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-23 15:43:47 +02:00
727c69a30f
Merge PR #5689 from @swachchhanda000 - feat: usage or installation of wsl kali linux
...
new: Installation of WSL KaliLinux
new: WSL Kali Linux Usage
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-23 18:04:38 +05:45
5929e67ed9
Merge PR #5688 from @adanalvarez - AWS STS GetCallerIdentity Enumeration Via TruffleHog
...
new: AWS STS GetCallerIdentity Enumeration Via TruffleHog
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-23 13:48:06 +02:00
c470105fbf
Merge PR #5686 from @mm-abdelghani - Unsigned or Unencrypted SMB Connection to Share Established
...
new: Unsigned or Unencrypted SMB Connection to Share Established
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-23 13:43:15 +02:00
ff645332d4
Merge PR #5712 from @swachchhanda000 - fix: rules for blackByte ransomware and wce detection
...
update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-10-23 09:07:48 +05:45
b7c084a413
Merge PR #5654 from @djlukic - add hexnode fp filter
...
fix: Uncommon PowerShell Hosts - filter hexnode
fix: Suspicious Non PowerShell WSMAN COM Provider - filter hexnode
fix: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - filter hexnode
fix: Registry Persistence via Service in Safe Mode - filter hexnode
fix: Potential PowerShell Obfuscation Using Alias Cmdlets - filter legitimate cim aliases
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-10-23 08:58:09 +05:45
d36fc36e08
Merge PR #5660 from @swachchhanda000 - feat: add rule to detect deletion of RunMRU registry key
...
new: RunMRU Registry Key Deletion
new: RunMRU Registry Key Deletion - Registry
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-10-22 18:31:35 +05:45
3ae99cfc57
Merge PR #5021 from @saakovv - New rules for AWS
...
new: AWS Console Login Monitoring
new: AWS Bucket Deleted
new: AWS ConsoleLogin Failed Authentication
new: AWS EnableRegion Command Monitoring
new: AWS VPC Flow Logs Deleted
update: AWS Successful Console Login Without MFA - only alert on successful logins
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: swachchhanda000 <swachchhandashrawan@gmail.com >
2025-10-22 14:36:42 +02:00
b228274f3f
Merge PR #5718 from @phantinuss - Fix Sysmon Channel Reference Deletion
...
fix: Sysmon Channel Reference Deletion - AccessMask should be a string
2025-10-22 10:57:20 +02:00
59dfb1ce70
Merge PR #5715 from @YamatoSecurity - Add missing author field
...
chore: add missing author field
2025-10-22 00:26:03 +02:00
f69ac5c345
Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules
...
chore: add missing MITRE tactics for 2 rules
2025-10-21 20:17:56 +02:00
47fe9ca81f
Merge PR #5242 from @NinnessOtu - ISATAP Router Address Was Set
...
new: ISATAP Router Address Was Set
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-21 14:05:55 +05:45
391d6858fd
Merge PR #5209 from @kagebunsher - update detection logic to avoid potential fps of jwt token search via cli
...
update: Potentially Suspicious JWT Token Search Via CLI - add selection for common search tools
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-21 12:16:24 +05:45
8e718c44ab
Merge PR #5675 from @vl43den - update: enhance lsass procdump with additional flags and service names
...
update: Potential LSASS Process Dump Via Procdump - expand flags and service-names detection
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-20 15:27:28 +02:00
698bf52124
Merge PR #5709 from @phantinuss - chore: ci: fix duplicate install
...
chore: ci: fix duplicate install
chore: ci: run tests independent of paths
2025-10-20 14:59:27 +02:00
0c2b76e7d9
Merge PR #5622 from @swachchhanda000 - fix duplicate and fps
...
remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073
fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
update: PowerShell Download Pattern - add powershell_ise
update: Use Short Name Path in Image - change detection logic structure
update: Local Accounts Discovery - add OriginalFileName field
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-20 09:08:28 +05:45
a532ddb638
Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities
...
new - Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
new - Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
new - Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
new - Suspicious File Write to Webapps Root Directory
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-20 08:52:44 +05:45
ac1137183f
Merge PR #5090 from @CheraghiMilad - add rule for impair system power settings
...
new: Mask System Power Settings Via Systemctl
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-20 08:24:44 +05:45
0e82a90eb5
Merge PR #5680 from @swachchhanda000 - feat: add detection for CVE-2025-10035 exploit in GoAnywhere MFT
...
new: Potential Exploitation of GoAnywhere MFT vulnerability
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-20 08:16:29 +05:45
28e19f36f7
Merge PR #5246 from @swachchhanda000 - add more extensions that could be suspicious for startup folder
...
update: Suspicious Startup Folder Persistence: add more suspicious extensions
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-20 08:05:37 +05:45
296754cc40
Merge PR #4939 from @frack113 - Winscp rule from Akira Ransomware report
...
new: FTP Connection Open Attempt Via Winscp CLI
new: Winscp Execution From Non Standard Folder
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-20 07:56:39 +05:45
208fee50a0
Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack
...
new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
2025-10-19 07:28:08 +05:45
f4e9d5f3c4
Merge PR #5671 from @swachchhanda000 - feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability
...
new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Linux Sudo Chroot Execution
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-19 07:21:26 +05:45
afc36cbb4e
Merge PR #5691 from @djlukic - Adding RemoteAddress field for Windows Server coverage
...
fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-18 07:53:56 +05:45
de97c83224
Merge PR #5533 from @swachchhanda000 - fix: github reported issues
...
new: AWS IAM user with Console Access Login Without MFA (#5074 )
new: Suspicious BitLocker Access Agent Update Utility Execution (#5502 )
new: BaaUpdate.exe Suspicious DLL Load
update: Suspicious C2 Activities - update definition (#5142 )
fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171 )
fix: WannaCry Ransomware Activity - remove generic indicators (#5131 )
fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529 )
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-18 07:07:22 +05:45
ed93a47f82
Merge PR #5657 from @swachchhanda000 - Add Hacktool - EDR-Freeze Execution
...
new: Hacktool - EDR-Freeze Execution
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-10-17 20:10:50 +02:00
9d91858f3e
Merge PR #5701 from @phantinuss - Enhance CI Tests
...
chore: ci: let yamllint fail on warnings as well
chore: fix comment whitespace
chore: ci: run single tests in their own job
2025-10-17 13:05:57 +02:00
a0c4c5f61e
Merge PR #5525 from @swachchhanda000 - WinRAR Creating Files in Startup Locations - CVE-2025-6218 and CVE-2025-8088
...
new: WinRAR Creating Files in Startup Locations
update: WinRAR Execution in Non-Standard Folder - update PE metadata
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-17 12:27:59 +02:00
Nasreddine Bencherchali