security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,437 Commits 1 Branch 57 Tags
585bd7d487fa7cdeb535d4eb22abb2a4da5d599e
Commit Graph

16437 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Swachchhanda Shrawan Poudel 585bd7d487 Merge PR #5429 from @swachchhanda000 - Katz stealer malware 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:33:24 +02:00
Swachchhanda Shrawan Poudel 5f894dfa0b Merge PR #5431 from swachchhanda000 - chore: fix broken links 
chore: fix broken links
 2025-05-26 10:21:19 +02:00
Milad Cheraghi 304b019212 Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
Create Release / Create Release (push) Has been cancelled
Details 
update: Audio Capture - add ecasound detection

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
r2025-05-21 		2025-05-21 09:10:51 +02:00
Jason Mull de7a1387b5 Merge PR #5417 from @jasonmull - Create Detection for Crash Dump Created By Operating System 
new: Crash Dump Created By Operating System

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-05-21 09:09:37 +02:00
Koifman b0481bea13 Merge PR #5393 from @Koifman - Update VMware rules for MITREv17 
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17

---------

Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-21 08:39:49 +02:00
phantinuss 8259948a3f Merge PR #5421 from @phantinuss - Update evtx-baseline 
chore: update evtx-baseline
 2025-05-20 23:15:57 +02:00
phantinuss 6896d69d3e Merge PR #5424 from @phantinuss - Some housekeeping 
chore: deprecate rule in favour of c1337eb8-921a-4b59-855b-4ba188ddcc42
chore: update the ref of some rules

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-20 23:12:55 +02:00
Gameel Ali 2076f5cfd6 Merge PR #5405 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
 2025-05-20 23:11:14 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:05:21 +02:00
github-actions[bot] e9aa3eb2b3 Merge PR #5398 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 23:03:44 +02:00
Swachchhanda Shrawan Poudel 926c05e2cd Merge PR #5203 from @swachchhanda000 - Update AdFind rules 
new: PUA - AdFind.EXE Execution
update: Renamed AdFind Execution - Add additional Imphash values

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-20 23:03:13 +02:00
github-actions[bot] b3f75b9ae6 Merge PR #5396 from @nasbench - Update deprecated csv 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 23:00:58 +02:00
Swachchhanda Shrawan Poudel b9e11ba205 Merge PR #5427 from @swachchhanda000 - Add Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE 
new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-20 23:00:06 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
 2025-05-15 12:17:10 +02:00
Mohamed Ashraf c0972b644d Merge PR #5378 from @X-Junior - fix: FP related to Potentially Suspicious WDAC Policy File Creation 
update: Potentially Suspicious WDAC Policy File Creation
 2025-05-12 13:31:38 +02:00
Swachchhanda Shrawan Poudel 906b392938 Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry 
new: Suspicious Autorun Registry Modified via WMI
update: Suspicious PowerShell Invocations - Specific - PowerShell Module
update: Suspicious PowerShell Invocations - Specific
update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
update: New RUN Key Pointing to Suspicious Folder
update: Suspicious Powershell In Registry Run Keys
update: Direct Autorun Keys Modification
update: Suspicious Run Key from Download

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-12 13:28:51 +02:00
phantinuss cdfdae6a7e Merge PR #5394 from @phantinuss - Update pySigma validator 
chore: update pySigma validator and fix surrounding issues
chore: whitelist new test issues
chore: sort each block
chore: add tests/sigma_cli_conf.yml to tracked files
 2025-05-12 12:16:11 +02:00
phantinuss 19568ae667 chore: update pySigma validators 2025-05-08 11:00:04 +02:00
phantinuss 58cb9a11e3 chore: add tests/sigma_cli_conf.yml to tracked files 2025-05-05 10:17:15 +02:00
phantinuss e58ebd048f chore: sort each block 2025-05-05 10:17:12 +02:00
phantinuss 9aeb2bab8a chore: whitelist new test issues 
the rules are all valid and have a sound detection logic
 2025-05-05 10:17:02 +02:00
phantinuss f47604b735 chore: update pySigma validators 2025-04-30 11:31:22 +02:00
david-syk b062d8ad65 Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch 2025-04-25 21:01:12 +02:00
david-syk 95b6dd8573 Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags 
chore: update multiple mitre att&ck tags
 2025-04-25 20:55:51 +02:00
Alex 6ded165b42 Merge pull request #5382 from SigmaHQ/detection-studio-readme 2025-04-25 11:52:03 +01:00
Alex 6fad19ba7b Adds Detection Studio to README.md page 2025-04-23 14:57:37 +01:00
Swachchhanda Shrawan Poudel 85fd5958bc Merge PR #5261 from @swachchhanda000 - Add Suspicious CrushFTP Child Process 
new: Suspicious CrushFTP Child Process

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:43:35 +02:00
RG9n 3d17247df5 Merge PR #5263 from @RG9n - Add Suspicious Process Spawned by CentreStack Portal AppPool 
new: Suspicious Process Spawned by CentreStack Portal AppPool

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:56 +02:00
Kostas 07c285ca29 Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules 
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:17 +02:00
Swachchhanda Shrawan Poudel 5d050fb8a5 Merge PR #5228 from @swachchhanda000 - Update Eventlog clearing related rules 
update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 00:45:10 +02:00
Swachchhanda Shrawan Poudel ff4076fea1 Merge PR #5234 from @swachchhanda000 - Update Potential Product Class Reconnaissance Via Wmic.EXE 
update: Potential Product Class Reconnaissance Via Wmic.EXE - Add `AntiSpywareProduct` class
 2025-04-17 00:44:13 +02:00
Swachchhanda Shrawan Poudel 75a1ff3915 Merge PR #5239 from @swachchhanda000 - Update Potential Browser Data Stealing 
update: Potential Browser Data Stealing - add esentutl.exe

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:43:26 +02:00
Swachchhanda Shrawan Poudel 6143a22389 Merge PR #5240 from @swachchhanda000 - Add Suspicious LNK Command-Line Padding with Whitespace Characters 
new: Suspicious LNK Command-Line Padding with Whitespace Characters
 2025-04-17 00:42:11 +02:00
github-actions[bot] 29ad6f9617 Merge PR #5249 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:35 +02:00
github-actions[bot] 36394d43a0 Merge PR #5250 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:06 +02:00
david-syk 1f1cac10eb Merge PR #5258 from @david-syk - Update Potential Adplus.EXE Abuse tags 
chore: update mitre attack tag

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:40:41 +02:00
Swachchhanda Shrawan Poudel ced93a8d17 Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools 
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:39:23 +02:00
Nasreddine Bencherchali 3946f672f0 Merge PR #5256 from @nasbench - Update Potential CVE-2023-23397 Exploitation Attempt - SMB 
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
 2025-04-10 15:07:45 +02:00
Florian Roth c72928b430 Merge PR #5241 from @Neo23x0 - Update Potential CVE-2023-23397 Exploitation Attempt - SMB 
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:10:52 +02:00
Florian Roth 357838c404 Merge PR #5237 from @Neo23x0 - Update Buffer Overflow Attempts 
update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
 2025-04-07 11:08:55 +02:00
Nick Lupien e874eaf58e Merge PR #5236 from @nickatrecon - Update AWS New Lambda Layer Attached 
update: AWS New Lambda Layer Attached - Enhance metadata and logic

---------

Thanks: imall4n
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:07:50 +02:00
Swachchhanda Shrawan Poudel fa27f1bc54 Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs 
update: Elevated System Shell Spawned - Add `powershell_ise`
fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for `C:\Windows\SystemTemp\`
fix: Python Initiated Connection - Enhance python filter
fix: Conhost Spawned By Uncommon Parent Process - Add filter for `'-k wusvcs -p -s WaaSMedicSvc`
update: Elevated System Shell Spawned From Uncommon Parent Location - Add `powershell_ise`
fix: Potential WinAPI Calls Via CommandLine - Add new filter for `CompatTelRunner`
fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent
fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:05:53 +02:00
frack113 166af991c0 Merge PR #4886 from @frack113 - Add Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock 
new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:02:17 +02:00
Derek Armstrong 78a78c79ff Merge PR #5229 from @dsplice - Update Potential APT FIN7 Exploitation Activity 
update: Potential APT FIN7 Exploitation Activity - Add false positive description
 2025-03-16 03:19:44 +01:00
Gude5 eda06d1a3b Merge PR #5227 from @Gude5 - Fix small typos in deprecated rules 
fix: Indirect Command Exectuion via Forfiles - wrong keyword
fix: PowerShell Execution - wrong date format
 2025-03-16 03:09:53 +01:00
github-actions[bot] 4a3cb8b774 Merge PR #5230 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-16 03:08:28 +01:00