security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,224 Commits 1 Branch 57 Tags
4989d43ae97015f8113aed2efcd49d288b8fec21
Commit Graph

108 Commits

Author SHA1 Message Date
github-actions[bot] 47085e9489 Merge PR #4891 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-07-01 10:42:32 +02:00
Daniel Cortez d7bd6001d1 Merge PR #4773 from @DefenderDaniel - Add rules covering Nscurl usage 
new: File Download Via Nscurl - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-06-05 10:22:39 +02:00
pratinavchandra 9bfe3d6e62 Merge PR #4865 from @pratinavchandra - Add new rules related to "tmutil" potential abuse 
new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
new: Time Machine Backup Disabled Via Tmutil - MacOS
new: New File Exclusion Added To Time Machine Via Tmutil - MacOS

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-31 12:52:55 +02:00
pratinavchandra 6a5cf5c37c Merge PR #4785 from @pratinavchandra - add System Information Discovery Via Sysctl - MacOS 
new: System Information Discovery Via Sysctl - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 18:05:09 +02:00
pratinavchandra 2837671f38 Merge PR #4782 from @pratinavchandra - Add Launch Agent/Daemon Execution Via Launchctl 
new: Launch Agent/Daemon Execution Via Launchctl 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 16:55:33 +02:00
pratinavchandra e1a713d264 Merge PR #4823 from @pratinavchandra - Update CLI flag for Gatekeeper Bypass via Xattr 
update: Gatekeeper Bypass via Xattr - Update command line flag 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-04-19 11:10:38 +02:00
Josh 68511f711f Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity 
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-15 21:41:29 +01:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
Stephen Lincoln e62c700822 Merge PR #4649 from @slincoln-aiq - System Information Discovery Using System_Profiler 
new: System Information Discovery Using System_Profiler

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 14:29:49 +01:00
Stephen Lincoln 2abda43af9 Merge PR #4645 from @slincoln-aiq - Update: System Information Discovery Using Ioreg 
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-01-10 14:00:01 +01:00
jstnk9 1e37964530 Merge PR #4640 from @jstnk9 - Add new rules related to System Integrity Protection (SIP) enumeration and tamper 
new: System Integrity Protection (SIP) Enumeration
new: System Integrity Protection (SIP) Disabled 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 13:36:06 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
jstnk9 3bb3b9cb5b Merge PR #4615 from @jstnk9 - Update WMIC Discovery Rule + New System Discovery Rules For MacOS 
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: Potential Base64 Decoded From Images
new: System Information Discovery Via Wmic.EXE
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-21 11:09:47 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
phantinuss 2a2db295ce Merge pull request #4155 from D4rkCiph3r/patch-5 
Update proc_creation_macos_add_to_admin_group.yml
 2023-08-23 08:57:45 +02:00
phantinuss ea5db35a52 Merge pull request #4127 from D4rkCiph3r/in-memory-payload 
Create proc_creation_macos_in-memory_payload_transfer.yml
 2023-08-23 08:57:23 +02:00
Nasreddine Bencherchali d53f063141 feat: update metadata 2023-08-22 18:22:05 +02:00
Nasreddine Bencherchali 32800437c9 Update proc_creation_macos_dseditgroup_add_to_admin_group.yml 2023-08-22 17:55:17 +02:00
Nasreddine Bencherchali 0f1f792ef9 chore: split rules 2023-08-22 17:48:06 +02:00
Nasreddine Bencherchali 68f843ce2c Merge pull request #4300 from gr00T0x/jamf 
feat: add rules related to jamf usage and potential abuse
 2023-08-22 15:38:35 +02:00
Nasreddine Bencherchali 7881df8591 Merge pull request #4055 from D4rkCiph3r/root_enable 
feat: add new to enable root account via dsenableroot
 2023-08-22 15:10:26 +02:00
Nasreddine Bencherchali ae71649ff5 Update rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml 2023-08-22 15:09:42 +02:00
phantinuss 785ea520dd fix: wording 2023-08-22 14:56:25 +02:00
phantinuss 9cb0c4d1ac fix: wording 2023-08-22 14:55:30 +02:00
Nasreddine Bencherchali b14769e684 feat: update metadata & logic 2023-08-22 14:34:20 +02:00
Nasreddine Bencherchali 4e75c3b2dc feat: update detection & metadata 2023-08-22 13:51:14 +02:00
gr00t fe26aabf6a Update proc_creation_macos_usage_of_jamf.yml 2023-06-08 12:43:54 +01:00
gr00t 97cb0ad683 Create proc_creation_macos_usage_of_jamf.yml 2023-06-07 16:46:36 +01:00
D4rkCiph3r e32b39d855 feat: new macos rule Suspicious Browser Child Process (#4053) 2023-04-05 14:58:09 +02:00
D4rkCiph3r 5d1130262f feat: new rule proc_creation_macos_suspicious_applet_behaviour.yml (#4126) 2023-04-03 12:27:17 +02:00
D4rkCiph3r 3662498137 Update proc_creation_macos_add_to_admin_group.yml 2023-03-30 11:34:38 +05:30
D4rkCiph3r 401c147f70 Update proc_creation_macos_enable_root_account.yml 2023-03-30 11:33:57 +05:30
D4rkCiph3r f6a78028d1 Update proc_creation_macos_enable_root_account.yml 
Removed a couple of detections, as I have moved them over to this rule "proc_creation_macos_add_to_admin_group".
 2023-03-30 11:32:53 +05:30
D4rkCiph3r 6a9d887c47 Update proc_creation_macos_add_to_admin_group.yml 
Restructured another detection from this rule "proc_creation_macos_enable_root_account.yml"(PR Pending) to here.
 2023-03-30 11:26:52 +05:30
D4rkCiph3r da468ec37a feat: new rule proc_creation_macos_add_to_admin_group.yml (#4121) 2023-03-21 11:29:42 +01:00
D4rkCiph3r 24432424c0 Rename proc_creation_macos_in-memory_payload_transfer.yml to proc_creation_macos_ingress_payload_transfer.yml 
Updated filename as per test run failure
 2023-03-20 23:35:32 +05:30
D4rkCiph3r f4b0264a83 Create proc_creation_macos_in-memory_payload_transfer.yml 2023-03-20 23:21:36 +05:30
Nasreddine Bencherchali 137dcbcc50 feat: more updates and fixes 2023-02-28 15:22:25 +01:00
phantinuss db4fb9ff8e Merge pull request #4056 from D4rkCiph3r/installer-child 
Create proc_creation_macos_susp_installer_child_process.yml
 2023-02-22 09:04:58 +01:00
Nasreddine Bencherchali 275748b671 fix: add missing space + rename file 2023-02-21 23:29:47 +01:00
Nasreddine Bencherchali 8220d9b5b2 fix: add slash to image field 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-21 23:17:09 +01:00
D4rkCiph3r ecdc93cdf0 Update proc_creation_macos_enable_root_account.yml 
Corrected the condition and selection's naming
 2023-02-21 11:12:02 +05:30
D4rkCiph3r 848a64fa69 Create proc_creation_macos_persistence_via_plistbuddy.yml (#4057) 2023-02-20 14:15:31 +01:00
D4rkCiph3r d0af939108 Create proc_creation_macos_enable_guest_account.yml (#4054) 2023-02-20 14:13:52 +01:00
D4rkCiph3r f9a73c7a79 Update proc_creation_macos_create_account.yml (#4052) 2023-02-20 14:13:06 +01:00
D4rkCiph3r 97e2717343 Update proc_creation_macos_susp_installer_child_process.yml 
Updated the selection syntax
 2023-02-20 18:19:43 +05:30
D4rkCiph3r b3154cf465 Update proc_creation_macos_enable_root_account.yml 
Updated the selections and condition as suggested.
 2023-02-20 18:14:51 +05:30