security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,163 Commits 1 Branch 57 Tags
6a5cf5c37c5c8aba2c810b3b2bdbfbd6bc262bfb
Commit Graph

12537 Commits

Author SHA1 Message Date
pratinavchandra 6a5cf5c37c Merge PR #4785 from @pratinavchandra - add System Information Discovery Via Sysctl - MacOS 
new: System Information Discovery Via Sysctl - MacOS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 18:05:09 +02:00
skaynum 9f10345076 Merge PR #4840 from @skaynum - Add new rules related to MySQL daemon and potential phishing attempts 
new: Uncommon File Creation By Mysql Daemon Process
new: Potential Suspicious Browser Launch From Document Reader Process
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 16:48:54 +02:00
Vasiliy Burov 92fd446b7d Merge PR #4859 from @vburov - Update casing of Win32_ShadowCopy for multiple rules 
chore: update casing of `Win32_ShadowCopy` for multiple rules

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 14:33:46 +02:00
CR-OfirTal 4163fde77f Merge PR #4860 from @CR-OfirTal - Fix a typo in the regex of some rules 
remove: Potential NT API Stub Patching
fix: Dynamic .NET Compilation Via Csc.EXE - Fix typo in regex
fix: Csc.EXE Execution Form Potentially Suspicious Parent - Fix typo in regex
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 14:27:34 +02:00
frack113 1c1081d87a Merge PR #4862 from @frack113 - Add Uncommon Process Access Rights For Target Image 
new: Uncommon Process Access Rights For Target Image

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 14:23:52 +02:00
Kamran Saifullah 2fcf250978 Merge PR #4863 from @deFr0ggy - Add network connection counterpart rule for cloudflare tunnels 
update: Cloudflared Tunnels Related DNS Requests - Update description and related field
new: Network Connection Initiated To Cloudflared Tunnels Domains
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-27 13:10:06 +02:00
JeremyH f334abfd29 Remove smart quotes from file_event_win_iphlpapi_dll_sideloading.yml (#4856) 2024-05-15 22:21:50 +02:00
Nasreddine Bencherchali ed789f54ce Merge PR #4853 from @nasbench - Add some cosmetic changes and small updates
Create Release / Create Release (push) Has been cancelled
Details 
update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
 2024-05-13 16:59:44 +02:00
pratinavchandra 2837671f38 Merge PR #4782 from @pratinavchandra - Add Launch Agent/Daemon Execution Via Launchctl 
new: Launch Agent/Daemon Execution Via Launchctl 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 16:55:33 +02:00
Swachchhanda Shrawan Poudel bd454b60aa Merge PR #4818 from @swachchhanda000 - Add Potentially Suspicious Child Process Of KeyScrambler.exe 
new: Potentially Suspicious Child Process Of KeyScrambler.exe 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 13:48:35 +02:00
frack113 fb3a72b433 Merge PR #4852 from @frack113 - Add Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock 
new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 13:18:39 +02:00
frack113 7d6f32d1be Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard 
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 12:10:33 +02:00
frack113 aaf51bf880 Merge PR #4830 from @frack113 - Enhance Wbadmin based rules 
new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-13 11:15:30 +02:00
Joe 6412c1a02b Merge PR #4822 from @hasselj - Add Potentially Suspicious Malware Callback Communication - Linux 
new: Potentially Suspicious Malware Callback Communication - Linux
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-10 17:07:43 +02:00
frack113 fe26ffa0f2 Merge PR #4838 from @frack113 - Add Access To Windows Outlook Mail Files By Uncommon Application 
new: Access To Windows Outlook Mail Files By Uncommon Application

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-10 16:56:57 +02:00
Ahmed Farouk b175b15033 Merge PR #4845 from @ahmedfarou22 - Proxy WebDAV Rule Improvements/New Rule 
new: Suspicious External WebDAV Execution
remove: Search-ms and WebDAV Suspicious Indicators in URL
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-10 16:16:42 +02:00
frack113 392e3a39c8 Merge PR #4843 from @frack113 - Add New-NetFirewallRule usage related rules 
new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-10 15:58:39 +02:00
frack113 7cdcb7605c Merge PR #4844 from @frack113 - Update UAC based rules 
update: UAC Disabled - update metadata
new: UAC Secure Desktop Prompt Disabled
new: UAC Notification Disabled 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-05-10 13:39:30 +02:00
github-actions[bot] f7ec533704 Merge PR #4841 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from "experimental" to "test"
 2024-05-02 10:34:25 +02:00
Expected 39db80478e Merge PR #4834 from @CertainlyP - Add Outbound Network Connection Initiated By Microsoft Dialer
Create Release / Create Release (push) Has been cancelled
Details 
new: Outbound Network Connection Initiated By Microsoft Dialer 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-29 12:54:38 +02:00
James C 6ac6153976 Merge PR #4836 from @jamesc-grafana - Update AWS Rule to use fieldref modifier instead of contains 
update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-29 12:53:54 +02:00
Nasreddine Bencherchali 481337a8c3 Merge PR #4837 from @nasbench - fix fp reported in #4820 
fix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out "chrome" and "firefox" processes.
 2024-04-26 15:39:44 +02:00
Nasreddine Bencherchali f61c1f4509 Merge PR #4832 from @nasbench - Update LOLBIN rules 
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-26 13:40:11 +02:00
frack113 22b3416fee Merge PR #4829 from @frack113 - Add Network Connection Initiated By RegAsm.EXE 
new: Network Connection Initiated By RegAsm.EXE
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-25 16:31:56 +02:00
dan21san c31507f74e Merge PR #4824 from @dan21san - New PUA SoftPerfect 
new: PUA - SoftPerfect Netscan Execution

---------

Co-authored-by: Degasperi <Daniel.Degasperi.ext@wuerth-phoenix.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-25 15:18:58 +02:00
pratinavchandra e1a713d264 Merge PR #4823 from @pratinavchandra - Update CLI flag for Gatekeeper Bypass via Xattr 
update: Gatekeeper Bypass via Xattr - Update command line flag 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-04-19 11:10:38 +02:00
signalblur a1a3b29692 Merge PR #4795 from @signalblur - Update Linux Command History Tampering rule 
update: Linux Command History Tampering - Increase coverage to include other history files 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-17 14:28:17 +02:00
nikitah4x 5b4bfd6ffd Merge PR #4814 from @nikitah4x - Add new rule to detect MFA bypass in Cisco Duo 
new: Cisco Duo Successful MFA Authentication Via Bypass Code

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-17 12:28:38 +02:00
signalblur 86ca651ea6 Merge PR #4801 from @signalblur - Add Pnscan rule 
new: Pnscan Binary Data Transmission Activity 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-16 14:36:41 +02:00
Fukusuke Takahashi 4dc77dc175 Merge PR #4819 from @fukusuket - Fix regex escape 
fix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal
 2024-04-16 12:57:45 +02:00
Fukusuke Takahashi 1a85bc5b5a Merge PR #4799 from @fukusuket - Fix typo in selection name 
chore: fix typo in selection name
 2024-04-15 17:01:15 +02:00
PiRomant 8c46c94a60 Merge PR #4798 from @PiRomant - Update Hashes field to use contains modifier 
update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-15 16:43:49 +02:00
frack113 045a9a5faa Merge PR #4803 from @frack113 - Update regex based rules 
update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-04-15 16:37:15 +02:00
Swachchhanda Shrawan Poudel b40d86599c Merge PR #4806 from @swachchhanda000 - Potential KeyScrambler.exe DLL Side-loading 
new: Potential KeyScrambler.exe DLL Side-loading

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-15 13:58:20 +02:00
frack113 691dca6fd2 Merge PR #4808 from @frack113 - FP Bad practice GPO 
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-04-15 13:43:35 +02:00
frack113 8687ba8ce6 Merge PR #4813 from @frack113 - Add Image to avoid FP 
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-04-15 13:42:32 +02:00
frack113 c21a4e10b8 Merge PR #4807 from @frack113 - Update ATT&CK tags 
chore: update ATT&CK tags for `Active Directory Structure Export Via Csvde.EXE`
 2024-04-15 10:46:47 +02:00
Mohamed Ashraf f21281ab29 Merge PR #4815 from - Add new malware user-Agent 2024-04-15 10:26:56 +02:00
phantinuss 9078b857a1 Merge PR #4805 from @phantinuss - fix: FP with chocolatey shimgen tool 
fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
 2024-04-09 12:34:37 +02:00
phantinuss 4319f5807f Merge PR #4802 from @phantinuss - FP Fixes 
fix: Windows Binaries Write Suspicious Extensions - fix selection
fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
 2024-04-05 08:47:18 +02:00
phantinuss 6505e72604 Merge PR #4797 from @phantinuss - fix: filter PS1 policy check for AppLocker mode 
fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
 2024-04-03 10:08:50 +02:00
phantinuss 3e389b1ffd Merge PR #4788 from @phantinuss - fix: regularly loaded by wsmprovhost.exe 
update: Suspicious Volume Shadow Copy VSS_PS.dll Load - regularly loaded by wsmprovhost.exe
 2024-04-02 09:27:58 +02:00
github-actions[bot] a8e1ecd658 Merge PR #4791 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-04-01 15:14:10 +02:00
Nasreddine Bencherchali f0395b815b Merge PR #4774 from @nasbench - Fix and update multiple rules
Create Release / Create Release (push) Has been cancelled
Details 
fix: EVTX Created In Uncommon Location - Reduce level and remove filters
fix: Files With System Process Name In Unsuspected Locations - Add additional paths
fix: New RUN Key Pointing to Suspicious Folder
new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
new: MaxMpxCt Registry Value Changed
update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-03-26 19:09:21 +01:00
Leo Tsaousis 0d63f52ff5 Merge PR #4694 from @LAripping - Add native Kubernetes detections 
new: Container With A hostPath Mount Created
new: Creation Of Pod In System Namespace
new: Deployment Deleted From Kubernetes Cluster
new: Kubernetes Events Deleted
new: Kubernetes Secrets Enumeration
new: New Kubernetes Service Account Created
new: Potential Remote Command Execution In Pod Container
new: Potential Sidecar Injection Into Running Deployment
new: Privileged Container Deployed
new: RBAC Permission Enumeration Attempt 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-26 18:26:46 +01:00
cyb3rjy0t 16d8345ca7 Merge PR #4725 from @cyb3rjy0t - Add new Azure AD rules 
new: Certificate-Based Authentication Enabled
new: New Root Certificate Authority Added 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-26 18:25:59 +01:00
Nasreddine Bencherchali 8cbcaea48a Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives 
fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs
new: Service Binary in User Controlled Folder
remove: Adwind RAT / JRAT - Registry
remove: Service Binary in Uncommon Folder
update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-03-26 13:28:49 +01:00
xiangchen96 961932ee3f Merge PR #4780 from @xiangchen96 - Minor fix for ip lookup rules 
update: Suspicious DNS Query for IP Lookup Service APIs - Fix ip.cn
update: Suspicious Network Connection to IP Lookup Service APIs - Fix ip.cn
 2024-03-22 12:24:22 +01:00
xiangchen96 759e224a90 Merge PR #4777 from xiangchen96 - add IP lookup services 
update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-03-21 10:13:22 +01:00
security-companion ba2baa1cec Merge PR #4776 from @security-companion - Fix broken reference links 
chore: fix some broken reference links

Thanks: @security-companion
 2024-03-21 02:38:12 +01:00