03412947a2
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
...
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 15:02:24 +02:00
c801be9f3d
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
...
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux
---------
Co-authored-by: Hugh <HueCodes@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 14:37:28 +02:00
fc1cf467f4
Merge PR #5905 from @swachchhanda000 - fix: notepad++ gup infrastructure abuse FPs
...
fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
2026-04-21 12:33:55 +02:00
c58ee2f7f8
Merge PR #5938 from @marcopedrinazzi - Fix file extension from .yaml to .yml for consistency
...
chore: changed extension from yaml to yml for certain files
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-20 14:44:21 +02:00
c3ad686ac4
Merge PR #5935 from @swachchhanda000 - Fix Registry Tampering by Potentially Suspicious Processes
...
fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-14 14:49:20 +02:00
d4d12bdd13
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
...
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-01 13:57:31 +02:00
7fc53c563e
Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder
...
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Thanks: @marius-benthin
2026-04-01 13:55:12 +02:00
7031934d17
Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege
...
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-01 13:36:52 +02:00
3fe2695635
Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed
...
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
2026-04-01 13:16:52 +02:00
c6d03adc7b
Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration
...
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
2026-04-01 12:35:29 +02:00
2f84ca2f16
Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules
...
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-03-30 12:27:13 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
a15dbdaa05
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
...
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
2026-03-19 10:26:30 +01:00
b596e1a7d0
Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules
...
remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2026-03-01 04:16:06 +01:00
084204d06a
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
...
new: System Language Discovery via Reg.Exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:55:40 +01:00
5f5e72cff7
Merge PR #5885 from @djlukic - Add New FP Filters
...
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:47:59 +01:00
41c8116d0e
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
...
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:21:29 +01:00
6db81c99bd
Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature
...
new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:12:49 +01:00
086a362b0f
Merge PR #5875 from @Neo23x0 - Fix BloodHound Collection Files
...
fix: BloodHound Collection Files - Remove entry `_domains.json` due to FP rate.
2026-02-28 14:06:13 +01:00
dc3880459d
Merge PR #5863 from @swachchhanda000 - Add finger.exe to related rules
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
2026-02-16 12:50:13 +01:00
76f4a42ebb
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
...
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe
---------
Co-authored-by: nasbench <nbencher@cisco.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-04 12:08:03 +01:00
478120e7d2
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-01-29 12:52:08 +01:00
c6a32d96cf
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
...
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:38:48 +01:00
2022e3b420
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
...
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:37:55 +01:00
e77233ab2f
Merge PR #5824 from @swachchhanda000 - Update User Shell Folders Registry Modification Rules
...
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
2026-01-29 12:23:46 +01:00
a4ddc7a414
Merge PR #5842 from @swachchhanda000 - chore: update thor.yml with missing file_change category
...
chore: update thor.yml with missing file_change category
2026-01-29 09:25:27 +01:00
3d8c650ba2
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
...
new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
new: Windows Vulnerable Driver Blocklist Disabled
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 23:53:42 +01:00
092b852af3
Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets
...
new: Cmd Launched with Hidden Start Flags to Suspicious Targets
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 20:02:52 +01:00
d5188c36a1
Merge PR #5487 from @swachchhanda000 - Update Registry Shell Open Related Rules
...
update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
new: Suspicious Shell Open Command Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 18:54:59 +01:00
77f4b0b2ec
Merge PR #5741 from @swachchhanda000 - Add Splunk Rules for MSIX/AppX
...
new: Successful MSIX/AppX Package Installation
new: Windows AppX Deployment Full Trust Package Installation
new: Windows AppX Deployment Unsigned Package Installation
new: Windows MSIX Package Support Framework AI_STUBS Execution
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 17:04:41 +01:00
c0af81c9d2
Merge PR #5823 from @darses - Update DNS Query to External Service Interaction Domains
...
update: DNS Query to External Service Interaction Domains - Changed modifier to endswith for better accuracy and add additional domains.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:37:27 +01:00
30aebbb65c
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
...
new: PUA - Kernel Driver Utility (KDU) Execution
new: Devcon Execution Disabling VMware VMCI Device
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:36:29 +01:00
01b23770b8
Merge PR #5826 from @marcopedrinazzi - Add New OpenCanary Rules
...
new: OpenCanary - NMAP FIN Scan
new: OpenCanary - NMAP NULL Scan
new: OpenCanary - NMAP OS Scan
new: OpenCanary - NMAP XMAS Scan
new: OpenCanary - Host Port Scan (SYN Scan)
new: OpenCanary - RDP New Connection Attempt
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:32:10 +01:00
ad3a650641
Merge PR #5476 from @swachchhanda000 - Update SquiblyTwo Related Rules
...
update: WMIC Loading Scripting Libraries - Update metadata
update: Potential SquiblyTwo Technique Execution - Extend coverage for remote execution
update: XSL Script Execution Via WMIC.EXE - Filter out remote execution parameters to avoid duplicate alerting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:25:13 +01:00
222a2e2992
Merge PR #5749 from @swachchhanda000 - Update Phantom DLL hijacking Rules
...
update: Creation Of Non-Existent System DLL - Add new DLLs and update metadata
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add new DLLs and update metadata
new: Registry Modification for OCI DLL Redirection
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:04:15 +01:00
076da17939
Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules
...
new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-01-24 11:51:42 +01:00
6fe7343bf7
Merge PR #5822 from @EzLucky - fix: spelling errors in description and filename
...
update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
chore: Local System Accounts Discovery - Linux - fix small typo on 'system' word in description
2026-01-05 13:01:17 +05:45
c8b1a0ff67
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
...
update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
b61d83beef
Merge PR #5790 from @nasbench - Metadata Updates
...
chore: update metadata of many rules
update: AppX Located in Uncommon Directory Added to Deployment Pipeline - Enhance selection criteria
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-24 17:50:21 +01:00
2952d630a4
Merge PR #5774 from @mbabinski - Added rules related to ArcGIS Server Object Extension abuse
...
new: Suspicious File Created by ArcSOC.exe
new: Suspicious ArcSOC.exe Child Process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-12-21 18:07:30 +01:00
685194383b
Merge PR #5804 from @swachchhanda000 - enhance rules related with file download from file sharing websites
...
update: Suspicious Remote AppX Package Locations - add github.com
update: BITS Transfer Job Download From File Sharing Domains - add github.com
update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
update: Unusual File Download From File Sharing Websites - File Stream - add github.com
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
2025-12-12 08:04:27 +05:45
c5b881019a
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
...
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-10 15:29:38 +01:00
cce4545c10
Merge PR #5801 from @toheeb-orelope - add Invoke-DNSExfiltrator
...
update: Malicious PowerShell Scripts - FileCreation - add Invoke-DNSExfiltrator
update: Malicious PowerShell Scripts - PoshModule - add Invoke-DNSExfiltrator
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-DNSExfiltrator
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-DNSExfiltrator
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-DNSExfiltrator
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-12-10 15:15:19 +01:00
cf3cbf8089
Merge PR #5799 from @nasbench - Update logic to use errorCode instead for better mapping and accuracy
...
update: Potential Malicious Usage of CloudTrail System Manager - Update logic to use errorCode instead for better mapping and accuracy
2025-12-09 10:17:50 +01:00
f05a8c4d94
Merge PR #5788 from @swachchhanda000 - Recon via RDP Logging Event
...
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - add more interesting event ids
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-12-09 08:48:59 +05:45
f7f61a9f95
Merge PR #5789 from @swachchhanda000 - Add fps filter observed on ARM-based Windows updates
...
fix: Uncommon AppX Package Locations - filter out system32
fix: Unauthorized System Time Modification - filter out vmwaretools
fix: Files With System Process Name In Unsuspected Locations - filter windows temp
fix: Startup Folder File Write - filter out wuauclt.exe and C:$WinREAgent\Scratch\Mount\ directory
fix: Potentially Suspicious WDAC Policy File Creation - filter wuaucltcore.exe
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter C:\Windows\UUS\arm64\
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - filter C:$WinREAgent\Scratch\
fix: Potential System DLL Sideloading From Non System Locations - filter legitimate ARM based locations
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - filter legitimate ARM based locations
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-12-09 08:29:51 +05:45
f58b44eb16
Merge #5798 from @swachchhanda000 - fix: aurora fps
...
fix: Rare Remote Thread Creation By Uncommon Source Image - filter provtool system
fix: Load Of RstrtMgr.DLL By An Uncommon Process - filter OneDriveStandaloneUpdater.exe
fix: Wow6432Node CurrentVersion Autorun Keys Modification - filter null Details
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-09 08:21:14 +05:45
57c71b3b8a
Merge PR #5778 from @swachchhanda000 - fix: add some filters or tune rules to reduce false positives
...
fix: Suspicious desktop.ini Action - filter onedrive
fix: CredUI.DLL Loaded By Uncommon Process - filter systemapps
update: Renamed Office Binary Execution - add olk.exe matching on Microsoft Outlook
2025-12-09 08:15:03 +05:45
ed2650a0eb
Merge PR #5791 from @Niicolaa - fix: add correct osascript path
...
fix: GUI Input Capture - macOS - remove osascript wrong path
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-12-09 08:03:04 +05:45
5656c48a97
Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field
...
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
2025-12-08 16:03:55 +01:00
Chirag