security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,373 Commits 1 Branch 57 Tags
7f83008e9ee84ce0e2bcb1474dc002b41cdfe8a5
Commit Graph

12697 Commits

Author SHA1 Message Date
Mohamed Ashraf 7f83008e9e Merge PR #5173 from @X-Junior - New rule additions and some fixes 
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
fix: Python Initiated Connection - Add filter for `pip install`
fix: Python Inline Command Execution - Add filter for whl package installations
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-22 23:57:41 +01:00
frack113 c779fc5424 Merge PR #5200 from @frack113 - Fix typo in selection name 
chore: fix selection name
 2025-02-22 23:47:24 +01:00
Koifman de0c3f3a83 Merge PR #5182 from @Koifman - Update Windows Event Log Access Tampering Via Registry 
update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:49:00 +01:00
Mohamed Ashraf 41bef8eed5 Merge PR #5189 from @X-Junior - Add Potentially Suspicious WDAC Policy File Creation 
new: Potentially Suspicious WDAC Policy File Creation

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:46:16 +01:00
Swachchhanda Shrawan Poudel 1de2b1c30f Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules 
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
 2025-02-17 12:11:55 +01:00
Swachchhanda Shrawan Poudel 0d25ad1855 Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution 
new: PUA - NimScan Execution
 2025-02-17 12:07:45 +01:00
Mohamed Ashraf 75b51c76b5 Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges 
fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
 2025-02-17 12:04:28 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
GtUGtHGtNDtEUaE da7a8305f1 Merge PR #5176 from @GtUGtHGtNDtEUaE - Update rules covering EventID 4660 
remove: Windows Defender Exclusion Deleted
fix: WCE wceaux.dll Access - Remove EventIDs `4658` and `4660` as they both do not contain the `ObjectName` field
 2025-01-31 18:08:59 +01:00
Mohamed Ashraf 3724456d62 Merge PR #5162 from @X-Junior - Add Windows Event Log Access Tampering Via Registry 
new: Windows Event Log Access Tampering Via Registry

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-01-30 21:31:26 +01:00
Djordje Lukic 92989a4f74 Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 
fix: Failed Code Integrity Checks - Add filters for `CrowdStrike`.
fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:15:39 +01:00
Kostas 56203e5241 Merge PR #5174 from @tsale - Add Suspicious Binaries and Scripts in Public Folder 
new: Suspicious Binaries and Scripts in Public Folder

---------

Co-authored-by: Detections <Detections@thedfirreport.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:13:42 +01:00
frack113 a99b163c93 Merge PR #5166 from @frack113 - Fix Privileged User Has Been Created 
fix: Privileged User Has Been Created - Add missing comma to avoid false positives
 2025-01-22 22:30:58 +01:00
Josh Brower 48d5c5064c Merge PR #5168 from @defensivedepth - Prepend algo to hash values 
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
 2025-01-22 22:29:33 +01:00
Renan LAVAREC fb27bee6d8 Merge PR #5152 from @Ti-R - Fix Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load 
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter `C:\ProgramData\Package Cache\{` to account for cases like the execution of `vcredist`

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:02:29 +01:00
Josh 083eb54e30 Merge PR #5157 from @joshnck - Add Azure Login Bypassing Conditional Access Policies 
new: Azure Login Bypassing Conditional Access Policies
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:00:59 +01:00
Florian Roth 06a5d08508 Merge PR #5163 from @Neo23x0 - Add/Update Rsync Linux Rules 
update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
new: Suspicious Invocation of Shell via Rsync

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 21:55:40 +01:00
Florian Roth 961753afb0 Merge PR #5164 from @Neo23x0 - Update Exploit Framework User Agent 
update: Exploit Framework User Agent - Add default Havoc C2 UA
 2025-01-19 21:42:40 +01:00
github-actions[bot] 8734022722 Merge PR #5149 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-01-06 15:36:19 +01:00
Djordje Lukic fa68da90b1 Merge PR #5145 from @djlukic - Update Regex of some rules 
update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use `\s+` to account for different parsers
update: Renamed Powershell Under Powershell Channel - Update regex to use `\s+` to account for different parsers
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-28 22:40:03 +01:00
Djordje Lukic 1df3c34391 Merge PR #5144 from @djlukic - Fix multiple FPs 
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches.
fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/`
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/`
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
 2024-12-27 16:38:02 +01:00
Daniel Koifman 7c830458e7 Merge PR #5138 from @DanielKoifman - Update Suspicious Windows Service Tampering 
update: Suspicious Windows Service Tampering - Add additional services
 2024-12-27 16:29:04 +01:00
Florian Roth e8a6894eca Merge PR #5132 from @Neo23x0 - Update DNS Query To Remote Access Software Domain From Non-Browser App
Create Release / Create Release (push) Has been cancelled
Details 
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `getscreen.me`

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:38:44 +01:00
Ivan S aec72e101d Merge PR #5016 from @saakovv - Add New AWS Lambda Function URL Configuration Created 
new: New AWS Lambda Function URL Configuration Created

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:30:58 +01:00
Ivan S a8d8dcff8f Merge PR #5015 from @saakovv - Add AWS SAML Provider Deletion Activity 
new: AWS SAML Provider Deletion Activity

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:30:41 +01:00
Koifman 3449958dbf Merge PR #5041 from @Koifman - Update tags for Register new Logon Process by Rubeus 
chore: update tags for `Register new Logon Process by Rubeus`
 2024-12-19 18:41:14 +01:00
Ivan S 2c13dba9f3 Merge PR #5023 from @saakovv - Add AWS Key Pair Import Activity 
new: AWS Key Pair Import Activity

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 18:35:28 +01:00
z00t 8e8b86aab9 Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage 
new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 18:07:19 +01:00
Djordje Lukic 9f54b01218 Merge PR #5122 from @djlukic - Fix bXOR Operator Usage In PowerShell Command Line - PowerShell Classic 
fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.

---------

Co-authored-by: Djordje Lukic <djordje.lukic@binalyze.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:55:02 +02:00
Florian Roth 17dcad456f Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation 
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:44:55 +02:00
Milad Cheraghi 957c1fc3d9 Merge PR #5119 from @CheraghiMilad - Update Terminate Linux Process Via Kill 
update: Terminate Linux Process Via Kill - Add "xkill"

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:26:02 +02:00
Milad Cheraghi 44775b80b9 Merge PR #5117 from @CheraghiMilad - Update Process Discovery 
update: Process Discovery - Add additional processes like "htop" and "atop"
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:24:15 +02:00
Phill Moore a290d22143 Merge PR #5125 from @randomaccess3 - Update Potential Secure Deletion with SDelete 
update: Potential Secure Deletion with SDelete - Enhance metadata

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 21:55:43 +02:00
Gameel Ali 9b67acfcf6 Merge PR #5126 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-14 21:09:33 +02:00
Milad Cheraghi c6b7a19b59 Merge PR #5099 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
 2024-12-14 20:49:32 +02:00
Florian Roth ee821b8e99 Merge PR #5110 from @Neo23x0 - Update Remote Access Tool Services Have Been Installed - Security 
update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
 2024-12-07 15:47:45 +01:00
Ivan S 58017b6b3f Merge PR #5017 from @saakovv - Add Modification or Deletion of an AWS RDS Cluster 
new: Modification or Deletion of an AWS RDS Cluster
---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: nasbench <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-07 00:19:18 +01:00
Florian Roth 6fd57da131 fix: FPs with NetNTLM downgrade attack (#5108) 
fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-03 22:44:37 +01:00
Matthew Green 2a0c9b5550 Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries 
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
 2024-12-03 22:14:54 +01:00
Nasreddine Bencherchali 6048be5a7a Merge PR #5106 from @nasbench - Add SID version of integrity levels 
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
 2024-12-01 23:29:17 +01:00
frack113 6e71f6ad5e Merge PR #5046 from @frack113 - Add Setup16.EXE Execution With Custom .Lst File 
new: Setup16.EXE Execution With Custom .Lst File

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-12-01 17:35:53 +01:00
Swachchhanda Shrawan Poudel f39c9acbc4 Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal 
new: Suspicious ShellExec_RunDLL Call Via Ordinal 

---------

Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-01 17:32:36 +01:00
Milad Cheraghi aac4335550 Merge PR #5102 from @CheraghiMilad - Update Password Policy Discovery - Linux 
update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:09:27 +01:00
Milad Cheraghi c8e1d66a35 Merge PR #5091 from @CheraghiMilad - Update File and Directory Discovery - Linux 
update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
---------
 
Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:07:54 +01:00
Milad Cheraghi af41386535 Merge PR #5097 from @CheraghiMilad - Update System Owner or User Discovery - Linux 
update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 13:51:14 +01:00
Gameel Ali 995dac17d1 Merge PR #5084 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-12-01 13:48:59 +01:00
github-actions[bot] 9367349016 Merge PR #5101 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-12-01 13:40:32 +01:00
Florian Roth 374f003507 Merge PR #5093 from @Neo23x0 - Fix Creation of WerFault.exe/Wer.dll in Unusual Folder 
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder `C:\Windows\SoftwareDistribution\`
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-29 13:06:11 +01:00
frack113 d804e9cba1 Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-25 09:30:14 +01:00
Nathan d0e4e78f7a Merge PR #5086 from @AlbinoGazelle - Update ESXCLI reference docs after Broadcom acquisition of VMWare 
chore: update broken references to ESXCLI rules
 2024-11-20 20:44:32 +01:00