security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,304 Commits 1 Branch 57 Tags
4f4ef7a8cc077b2b54c71c598db50fe8b1f14d55
Commit Graph

16304 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
wieso-itzi 4f4ef7a8cc Merge PR #5042 from @wieso-itzi - Update Python PTY rules
Create Release / Create Release (push) Waiting to run
Details 
update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. 

---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
r2024-11-10 		2024-11-04 12:15:00 +01:00
Arnim Rupp 243003c21a Merge PR #5068 from @ruppde - Update rules in the Antivirus category with additional strings and signature names 
update: Antivirus Hacktool Detection - Add additional hacktools signature names.
update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
update: Antivirus Ransomware Detection - Add additional ransomware signature names.
fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 11:45:07 +01:00
Koifman cfa6d8aa7d Merge PR #5064 from @Koifman - Add missing ATT&CK tag to Monero Crypto Coin Mining Pool Lookup 
chore: add missing ATT&CK tag to `Monero Crypto Coin Mining Pool Lookup`
 2024-11-04 11:32:02 +01:00
Florian Roth fe999a5e9e Merge PR #5070 from @Neo23x0 - Update .RDP File Created by Outlook Process 
update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 11:25:05 +01:00
Nasreddine Bencherchali e1787dad38 Merge PR #5067 from @nasbench - Add missing reference links 
chore: add missing reference links to some rules
 2024-11-01 20:52:27 +01:00
Ahmed Farouk 14ce104a16 Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue 
new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
new: Command Executed Via Run Dialog Box - Registry
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 20:45:17 +01:00
github-actions[bot] 04df2e483a Merge PR #5051 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:49:49 +01:00
Florian Roth 0cb8d0e091 Merge PR #5063 from @Neo23x0 - Add & Update rules related to the suspicious creation of ".rdp" files 
new: .RDP File Created by Outlook Process
update: .RDP File Created By Uncommon Application - Add `olk.exe` to cover the new version of outlook 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 10:47:36 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
dan21san 05a496388b Merge PR #5052 from @dan21san - Update Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet 
update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives. 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 10:20:29 +01:00
Koifman 44176f0c17 Merge PR #5057 from @Koifman - Add Access To Browser Credential Files By Uncommon Applications - Security 
new: Access To Browser Credential Files By Uncommon Applications - Security 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-10-28 12:28:35 +01:00
Gameel Ali ad8ab49d45 Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE 
Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-28 12:25:02 +01:00
Josh Brower f4e563ae8f Merge PR #5062 from @defensivedepth - Update README.md 
chore: update README.md - Add a link to `Security Onion` sigma integration
 2024-10-28 11:57:02 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Djordje Lukic f33530e756 Merge PR #4994 from @djlukic - Multiple FP fixes 
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------
 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 23:08:50 +02:00
Arnim Rupp 7ddc551605 Merge PR #5040 from @ruppde - Update Antivirus Password Dumper Detection 
update: Antivirus Password Dumper Detection - Add `DCSync` string to cover MS Defender traffic detections
 2024-10-08 23:04:44 +02:00
Sittikorn S 86989a0464 Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution 
update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt' 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:37:23 +02:00
dan21san b063a9d755 Merge PR #5036 from @dan21san - Update Alternate PowerShell Hosts Pipe 
update: Alternate PowerShell Hosts Pipe - Add optional filter for `AzureConnectedMachineAgent` and update old filters to be more accurate 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:17:21 +02:00
Milad Cheraghi d270dc542c Merge PR #5039 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim" 
---------

Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:09:13 +02:00
MalGamy12 f472015599 Merge PR #5037 from @MalGamy12 - Update Disable Windows Defender Functionalities Via Registry Keys 
update: Disable Windows Defender Functionalities Via Registry Keys - Remove `\Real-Time Protection\` prefix to increase coverage. 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:07:45 +02:00
Florian Roth a997d6282a Merge PR #5038 from @Neo23x0 - Update LSASS Process Memory Dump Files 
update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 21:57:25 +02:00
Feathers 5b59c6d115 Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI 
update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header. 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 23:03:54 +02:00
Swachchhanda Shrawan Poudel d1f1fc716f Merge PR #5031 from @swachchhanda000 - Add Potential Python DLL SideLoading 
new: Potential Python DLL SideLoading 

---------

Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 22:51:09 +02:00
frack113 c70fff4b8b Merge PR #4935 from @frack113 - Add new IIS logsource and related rules 
chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml
new: ETW Logging/Processing Option Disabled On IIS Server
new: HTTP Logging Disabled On IIS Server
new: New Module Module Added To IIS Server
new: Previously Installed IIS Module Was Removed 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 22:44:05 +02:00
MalGamy12 8a3f07430f Merge PR #5033 from @MalGamy12 - Update Process Terminated Via Taskkill 
update: Process Terminated Via Taskkill - Add `/pid` flag and windash support 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 22:34:21 +02:00
Mohamed Ashraf 1f1f31e99c Merge PR #5026 from @X-Junior - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add new suspicious locations and builtin CLSID 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-01 15:22:42 +02:00
github-actions[bot] 08c52c367c Merge PR #5027 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:56:09 +02:00
github-actions[bot] 8ebc58cf42 Merge PR #5028 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:55:39 +02:00
Arnim Rupp 35a5eb9a4c Merge PR #5013 from @ruppde - Update linux scanning rules 
update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
 2024-09-22 19:29:20 +02:00
Kostas 014d169f83 Merge PR #5020 from @tsale - Add Remote Access Tool - MeshAgent Command Execution via MeshCentral 
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-22 19:26:02 +02:00
Alexander J 9db7e07223 Merge PR #5022 from @jaegeral - Fix some typos in rules metadata 
chore: fix some typos in the title and description of some rules
 2024-09-22 19:14:26 +02:00
github-actions[bot] 23c4c0b90c Merge PR #5009 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-18 23:55:08 +02:00
MahirAli Khan 99a47e4f96 Merge PR #4980 from @Mahir-Ali-khan - Update DNS Query To Remote Access Software Domain From Non-Browser App 
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `remoteassistance.support.services.microsoft.com`, `tailscale.com`, `twingate.com` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-13 13:55:33 +02:00
Kamran Saifullah 71be3c719b Merge PR #5003 from @deFr0ggy - Add Network Connection Initiated To BTunnels Domains 
new: Network Connection Initiated To BTunnels Domains 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-13 12:15:58 +02:00
bharat-arora-magnet fedc6f43ea Merge PR #5005 from @bharat-arora-magnet - Fix PwnKit Local Privilege Escalation 
fix: PwnKit Local Privilege Escalation - Fix typo with the word `suspicious`
 2024-09-13 11:19:14 +02:00
frack113 236db73778 Merge PR #5006 from @frack113 - Fix UNC2452 Process Creation Patterns 
fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier
 2024-09-13 11:17:23 +02:00
Fukusuke Takahashi 132482818e Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references 
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379  - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
 2024-09-13 11:14:11 +02:00
secDre4mer ab2fb36426 Merge PR #5002 from @secDre4mer - Update Potential CommandLine Obfuscation Using Unicode Characters rules 
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0`
update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:42:04 +02:00
Josh 8288d4be9f Merge PR #5001 from @joshnck - Add Startup/Logon Script Added to Group Policy Object 
new: Startup/Logon Script Added to Group Policy Object 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:41:18 +02:00
Josh ad84d82baf Merge PR #5000 from @joshnck - Update Persistence and Execution at Scale via GPO Scheduled Task 
update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:40:46 +02:00
Josh 06b116608e Merge PR #4999 from @joshnck - Add Group Policy Abuse for Privilege Addition 
new: Group Policy Abuse for Privilege Addition 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:40:04 +02:00
Josh 06e3ce353b Merge PR #4998 from @joshnck - Add DNS Request From Windows Script Host 
new: DNS Request From Windows Script Host 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:39:17 +02:00
secDre4mer 9b39e26260 Merge PR #4995 from @secDre4mer - Add Process Deletion of Its Own Executable 
new: Process Deletion of Its Own Executable 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-03 22:20:20 +02:00
Michael Haag b724a7f59d Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access 
new: PowerShell Web Access Feature Enabled Via DISM
new: PowerShell Web Access Installation - PsScript 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-03 22:17:47 +02:00
Swachchhanda Shrawan Poudel 7f0f7eefe0 Merge PR #4983 from @swachchhanda000 - Add Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Create Release / Create Release (push) Waiting to run
Details 
new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
r2024-09-02 		2024-09-02 20:04:52 +02:00
Nasreddine Bencherchali b86a494f55 Merge PR #4993 from @nasbench - Fix Issues 
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
 2024-09-02 19:03:46 +02:00
dan21san bd284a997b Merge PR #4990 from @dan21san - Add Remote Access Tool - AnyDesk Incoming Connection 
new: Remote Access Tool - AnyDesk Incoming Connection 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-02 14:23:22 +02:00
Murphy0801 3e2f8d5aba Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins 
new: Capsh Shell Invocation - Linux
new: Inline Python Execution - Spawn Shell Via OS System Library
new: Shell Execution GCC - Linux
new: Shell Execution via Find - Linux
new: Shell Execution via Flock - Linux
new: Shell Execution via Git - Linux
new: Shell Execution via Nice - Linux
new: Shell Execution via Rsync - Linux
new: Shell Invocation via Env Command - Linux
new: Shell Invocation Via Ssh - Linux
new: Suspicious Invocation of Shell via AWK - Linux 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-02 13:19:31 +02:00
github-actions[bot] 839f5636f5 Merge PR #4991 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:36 +02:00
github-actions[bot] 9eb4dea0a6 Merge PR #4992 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:12 +02:00