585bd7d487
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
...
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-26 10:33:24 +02:00
6fe3ac8a02
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:09:50 +02:00
efcfe43fae
Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:09:23 +02:00
f255ba29e6
Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:08:57 +02:00
a869abc3cc
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:05:21 +02:00
926c05e2cd
Merge PR #5203 from @swachchhanda000 - Update AdFind rules
...
new: PUA - AdFind.EXE Execution
update: Renamed AdFind Execution - Add additional Imphash values
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-20 23:03:13 +02:00
350fec2f51
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-05-20 22:58:46 +02:00
83b9ff50bc
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
...
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
2025-05-15 12:17:10 +02:00
906b392938
Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry
...
new: Suspicious Autorun Registry Modified via WMI
update: Suspicious PowerShell Invocations - Specific - PowerShell Module
update: Suspicious PowerShell Invocations - Specific
update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
update: New RUN Key Pointing to Suspicious Folder
update: Suspicious Powershell In Registry Run Keys
update: Direct Autorun Keys Modification
update: Suspicious Run Key from Download
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-05-12 13:28:51 +02:00
b062d8ad65
Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch
2025-04-25 21:01:12 +02:00
95b6dd8573
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags
...
chore: update multiple mitre att&ck tags
2025-04-25 20:55:51 +02:00
07c285ca29
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
...
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-17 21:42:17 +02:00
5d050fb8a5
Merge PR #5228 from @swachchhanda000 - Update Eventlog clearing related rules
...
update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-17 00:45:10 +02:00
ff4076fea1
Merge PR #5234 from @swachchhanda000 - Update Potential Product Class Reconnaissance Via Wmic.EXE
...
update: Potential Product Class Reconnaissance Via Wmic.EXE - Add `AntiSpywareProduct` class
2025-04-17 00:44:13 +02:00
75a1ff3915
Merge PR #5239 from @swachchhanda000 - Update Potential Browser Data Stealing
...
update: Potential Browser Data Stealing - add esentutl.exe
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-04-17 00:43:26 +02:00
6143a22389
Merge PR #5240 from @swachchhanda000 - Add Suspicious LNK Command-Line Padding with Whitespace Characters
...
new: Suspicious LNK Command-Line Padding with Whitespace Characters
2025-04-17 00:42:11 +02:00
29ad6f9617
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-04-17 00:41:35 +02:00
1f1cac10eb
Merge PR #5258 from @david-syk - Update Potential Adplus.EXE Abuse tags
...
chore: update mitre attack tag
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-04-17 00:40:41 +02:00
ced93a8d17
Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools
...
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-04-17 00:39:23 +02:00
fa27f1bc54
Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs
...
update: Elevated System Shell Spawned - Add `powershell_ise`
fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for `C:\Windows\SystemTemp\`
fix: Python Initiated Connection - Enhance python filter
fix: Conhost Spawned By Uncommon Parent Process - Add filter for `'-k wusvcs -p -s WaaSMedicSvc`
update: Elevated System Shell Spawned From Uncommon Parent Location - Add `powershell_ise`
fix: Potential WinAPI Calls Via CommandLine - Add new filter for `CompatTelRunner`
fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent
fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-07 11:05:53 +02:00
13b9a509d4
Merge PR #5198 from @DFIR-Detection - Add Notepad Password Files Discovery
...
new: Notepad Password Files Discovery
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-03-05 00:24:11 +01:00
64852d95a9
Merge PR #5216 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-03-05 00:23:27 +01:00
f4d86e8f37
Merge PR #5204 from @swachchhanda000 - Update Malicious PowerShell Scripts and Cmdlets Rules
...
update: Malicious PowerShell Scripts - FileCreation - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Scripts - PoshModule - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Commandlets - PoshModule - Add `Veeam-Get-Creds`
update: Malicious PowerShell Commandlets - ProcessCreation - Add `Veeam-Get-Creds`
2025-03-05 00:21:08 +01:00
f784916130
Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules
...
update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the `AnyDesk MSI` Service
update: Suspicious Binary Writes Via AnyDesk - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Incoming Connection - Add `AnyDeskMSI.exe`
update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Execution - Add `AnyDeskMSI.exe`
2025-03-05 00:19:19 +01:00
f3de589d08
Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts.
...
update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-02-25 22:32:55 +01:00
7f83008e9e
Merge PR #5173 from @X-Junior - New rule additions and some fixes
...
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
fix: Python Initiated Connection - Add filter for `pip install`
fix: Python Inline Command Execution - Add filter for whl package installations
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-02-22 23:57:41 +01:00
1de2b1c30f
Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules
...
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
2025-02-17 12:11:55 +01:00
0d25ad1855
Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution
...
new: PUA - NimScan Execution
2025-02-17 12:07:45 +01:00
75b51c76b5
Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges
...
fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
2025-02-17 12:04:28 +01:00
2bfb0935a0
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
...
Create Release / Create Release (push) Has been cancelled
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-02-03 18:23:12 +01:00
48d5c5064c
Merge PR #5168 from @defensivedepth - Prepend algo to hash values
...
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
2025-01-22 22:29:33 +01:00
8734022722
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-01-06 15:36:19 +01:00
7c830458e7
Merge PR #5138 from @DanielKoifman - Update Suspicious Windows Service Tampering
...
update: Suspicious Windows Service Tampering - Add additional services
2024-12-27 16:29:04 +01:00
8e8b86aab9
Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage
...
new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-19 18:07:19 +01:00
17dcad456f
Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation
...
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 22:44:55 +02:00
2a0c9b5550
Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
2024-12-03 22:14:54 +01:00
6048be5a7a
Merge PR #5106 from @nasbench - Add SID version of integrity levels
...
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
2024-12-01 23:29:17 +01:00
6e71f6ad5e
Merge PR #5046 from @frack113 - Add Setup16.EXE Execution With Custom .Lst File
...
new: Setup16.EXE Execution With Custom .Lst File
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-12-01 17:35:53 +01:00
f39c9acbc4
Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal
...
new: Suspicious ShellExec_RunDLL Call Via Ordinal
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-12-01 17:32:36 +01:00
9367349016
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-01 13:40:32 +01:00
d804e9cba1
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
...
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-25 09:30:14 +01:00
5aa899415b
Merge PR #5075 from @MalGamy12 - Update Potentially Suspicious Cabinet File Expansion
...
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
---------
Co-authored-by: nasbench <nasreddineb@splunk.com >
2024-11-17 23:46:53 +01:00
5d1cf4b9de
Merge PR #5076 from @Neo23x0 - Fix Suspicious SYSTEM User Process Creation
...
fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
2024-11-13 23:21:16 +01:00
f533350560
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-01 10:21:04 +01:00
ad8ab49d45
Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
...
Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-28 12:25:02 +01:00
7e4748ec0e
feat: update multiple rules ( #5055 )
...
* Update multiple rules
* updates
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-25 16:32:03 +02:00
86989a0464
Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution
...
update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 22:37:23 +02:00
5b59c6d115
Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI
...
update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-06 23:03:54 +02:00
08c52c367c
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:56:09 +02:00
014d169f83
Merge PR #5020 from @tsale - Add Remote Access Tool - MeshAgent Command Execution via MeshCentral
...
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-22 19:26:02 +02:00
Swachchhanda Shrawan Poudel