security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,437 Commits 1 Branch 57 Tags
585bd7d487fa7cdeb535d4eb22abb2a4da5d599e
Commit Graph

10112 Commits

Author SHA1 Message Date
Swachchhanda Shrawan Poudel 585bd7d487 Merge PR #5429 from @swachchhanda000 - Katz stealer malware 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:33:24 +02:00
Jason Mull de7a1387b5 Merge PR #5417 from @jasonmull - Create Detection for Crash Dump Created By Operating System 
new: Crash Dump Created By Operating System

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-05-21 09:09:37 +02:00
phantinuss 6896d69d3e Merge PR #5424 from @phantinuss - Some housekeeping 
chore: deprecate rule in favour of c1337eb8-921a-4b59-855b-4ba188ddcc42
chore: update the ref of some rules

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-20 23:12:55 +02:00
Gameel Ali 2076f5cfd6 Merge PR #5405 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
 2025-05-20 23:11:14 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:05:21 +02:00
Swachchhanda Shrawan Poudel 926c05e2cd Merge PR #5203 from @swachchhanda000 - Update AdFind rules 
new: PUA - AdFind.EXE Execution
update: Renamed AdFind Execution - Add additional Imphash values

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-20 23:03:13 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
 2025-05-15 12:17:10 +02:00
Mohamed Ashraf c0972b644d Merge PR #5378 from @X-Junior - fix: FP related to Potentially Suspicious WDAC Policy File Creation 
update: Potentially Suspicious WDAC Policy File Creation
 2025-05-12 13:31:38 +02:00
Swachchhanda Shrawan Poudel 906b392938 Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry 
new: Suspicious Autorun Registry Modified via WMI
update: Suspicious PowerShell Invocations - Specific - PowerShell Module
update: Suspicious PowerShell Invocations - Specific
update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
update: New RUN Key Pointing to Suspicious Folder
update: Suspicious Powershell In Registry Run Keys
update: Direct Autorun Keys Modification
update: Suspicious Run Key from Download

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-12 13:28:51 +02:00
david-syk b062d8ad65 Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch 2025-04-25 21:01:12 +02:00
david-syk 95b6dd8573 Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags 
chore: update multiple mitre att&ck tags
 2025-04-25 20:55:51 +02:00
Kostas 07c285ca29 Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules 
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:17 +02:00
Swachchhanda Shrawan Poudel 5d050fb8a5 Merge PR #5228 from @swachchhanda000 - Update Eventlog clearing related rules 
update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 00:45:10 +02:00
Swachchhanda Shrawan Poudel ff4076fea1 Merge PR #5234 from @swachchhanda000 - Update Potential Product Class Reconnaissance Via Wmic.EXE 
update: Potential Product Class Reconnaissance Via Wmic.EXE - Add `AntiSpywareProduct` class
 2025-04-17 00:44:13 +02:00
Swachchhanda Shrawan Poudel 75a1ff3915 Merge PR #5239 from @swachchhanda000 - Update Potential Browser Data Stealing 
update: Potential Browser Data Stealing - add esentutl.exe

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:43:26 +02:00
Swachchhanda Shrawan Poudel 6143a22389 Merge PR #5240 from @swachchhanda000 - Add Suspicious LNK Command-Line Padding with Whitespace Characters 
new: Suspicious LNK Command-Line Padding with Whitespace Characters
 2025-04-17 00:42:11 +02:00
github-actions[bot] 29ad6f9617 Merge PR #5249 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:35 +02:00
david-syk 1f1cac10eb Merge PR #5258 from @david-syk - Update Potential Adplus.EXE Abuse tags 
chore: update mitre attack tag

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:40:41 +02:00
Swachchhanda Shrawan Poudel ced93a8d17 Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools 
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:39:23 +02:00
Swachchhanda Shrawan Poudel fa27f1bc54 Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs 
update: Elevated System Shell Spawned - Add `powershell_ise`
fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for `C:\Windows\SystemTemp\`
fix: Python Initiated Connection - Enhance python filter
fix: Conhost Spawned By Uncommon Parent Process - Add filter for `'-k wusvcs -p -s WaaSMedicSvc`
update: Elevated System Shell Spawned From Uncommon Parent Location - Add `powershell_ise`
fix: Potential WinAPI Calls Via CommandLine - Add new filter for `CompatTelRunner`
fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent
fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:05:53 +02:00
frack113 166af991c0 Merge PR #4886 from @frack113 - Add Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock 
new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:02:17 +02:00
DFIR-Detection 13b9a509d4 Merge PR #5198 from @DFIR-Detection - Add Notepad Password Files Discovery 
new: Notepad Password Files Discovery

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:24:11 +01:00
github-actions[bot] 64852d95a9 Merge PR #5216 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:27 +01:00
Swachchhanda Shrawan Poudel f4d86e8f37 Merge PR #5204 from @swachchhanda000 - Update Malicious PowerShell Scripts and Cmdlets Rules 
update: Malicious PowerShell Scripts - FileCreation - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Scripts - PoshModule - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Commandlets - PoshModule - Add `Veeam-Get-Creds`
update: Malicious PowerShell Commandlets - ProcessCreation - Add `Veeam-Get-Creds`
 2025-03-05 00:21:08 +01:00
Swachchhanda Shrawan Poudel f784916130 Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules 
update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the `AnyDesk MSI` Service
update: Suspicious Binary Writes Via AnyDesk - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Incoming Connection - Add `AnyDeskMSI.exe`
update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Execution - Add `AnyDeskMSI.exe`
 2025-03-05 00:19:19 +01:00
Hannes Widéen 54496e2e0d Merge PR #5211 from @HannesWid - Update Nslookup PowerShell Download Cradle 
update: Nslookup PowerShell Download Cradle - Add additional coverage with `-type=txt http`
 2025-03-05 00:17:38 +01:00
Florian Roth 5711c8a2f4 Merge PR #5215 from @Neo23x0 - Fix typo in falsepositives section 
chore: fix typo in falsepositive section
 2025-02-28 15:49:36 +01:00
Swachchhanda Shrawan Poudel f3de589d08 Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts. 
update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-02-25 22:32:55 +01:00
Mohamed Ashraf 7f83008e9e Merge PR #5173 from @X-Junior - New rule additions and some fixes 
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
fix: Python Initiated Connection - Add filter for `pip install`
fix: Python Inline Command Execution - Add filter for whl package installations
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-22 23:57:41 +01:00
frack113 c779fc5424 Merge PR #5200 from @frack113 - Fix typo in selection name 
chore: fix selection name
 2025-02-22 23:47:24 +01:00
Koifman de0c3f3a83 Merge PR #5182 from @Koifman - Update Windows Event Log Access Tampering Via Registry 
update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:49:00 +01:00
Mohamed Ashraf 41bef8eed5 Merge PR #5189 from @X-Junior - Add Potentially Suspicious WDAC Policy File Creation 
new: Potentially Suspicious WDAC Policy File Creation

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:46:16 +01:00
Swachchhanda Shrawan Poudel 1de2b1c30f Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules 
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
 2025-02-17 12:11:55 +01:00
Swachchhanda Shrawan Poudel 0d25ad1855 Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution 
new: PUA - NimScan Execution
 2025-02-17 12:07:45 +01:00
Mohamed Ashraf 75b51c76b5 Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges 
fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
 2025-02-17 12:04:28 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
GtUGtHGtNDtEUaE da7a8305f1 Merge PR #5176 from @GtUGtHGtNDtEUaE - Update rules covering EventID 4660 
remove: Windows Defender Exclusion Deleted
fix: WCE wceaux.dll Access - Remove EventIDs `4658` and `4660` as they both do not contain the `ObjectName` field
 2025-01-31 18:08:59 +01:00
Mohamed Ashraf 3724456d62 Merge PR #5162 from @X-Junior - Add Windows Event Log Access Tampering Via Registry 
new: Windows Event Log Access Tampering Via Registry

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-01-30 21:31:26 +01:00
Djordje Lukic 92989a4f74 Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 
fix: Failed Code Integrity Checks - Add filters for `CrowdStrike`.
fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:15:39 +01:00
Kostas 56203e5241 Merge PR #5174 from @tsale - Add Suspicious Binaries and Scripts in Public Folder 
new: Suspicious Binaries and Scripts in Public Folder

---------

Co-authored-by: Detections <Detections@thedfirreport.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:13:42 +01:00
Josh Brower 48d5c5064c Merge PR #5168 from @defensivedepth - Prepend algo to hash values 
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
 2025-01-22 22:29:33 +01:00
Renan LAVAREC fb27bee6d8 Merge PR #5152 from @Ti-R - Fix Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load 
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter `C:\ProgramData\Package Cache\{` to account for cases like the execution of `vcredist`

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:02:29 +01:00
github-actions[bot] 8734022722 Merge PR #5149 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-01-06 15:36:19 +01:00
Djordje Lukic fa68da90b1 Merge PR #5145 from @djlukic - Update Regex of some rules 
update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use `\s+` to account for different parsers
update: Renamed Powershell Under Powershell Channel - Update regex to use `\s+` to account for different parsers
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-28 22:40:03 +01:00
Djordje Lukic 1df3c34391 Merge PR #5144 from @djlukic - Fix multiple FPs 
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches.
fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/`
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/`
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
 2024-12-27 16:38:02 +01:00
Daniel Koifman 7c830458e7 Merge PR #5138 from @DanielKoifman - Update Suspicious Windows Service Tampering 
update: Suspicious Windows Service Tampering - Add additional services
 2024-12-27 16:29:04 +01:00