8b41e6bfdf
Merge PR #5542 from @peterydzynski - remove Azure Application Credential Modified
...
remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-17 12:14:11 +02:00
84425b8889
Merge PR #5677 from @vl43den - Modify System Firewall - add nftables delete/flush
...
update: Modify System Firewall - add nftables delete/flush
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-17 11:56:55 +02:00
5c39e25d99
Merge PR #5251 from @vasquja - improve regex to correctly detect hex IPv4 addresses
...
fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-17 08:26:34 +05:45
c2d9e95e83
Merge PR #5532 from @swachchhanda000 - fix: refine detections and filters; update Account Tampering with SubStatus field
...
fix: SMB Create Remote File Admin Share - filter out local IP
fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
2025-10-17 08:12:25 +05:45
c3b0256d71
Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives
...
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-17 07:57:13 +05:45
ff558d8561
Merge PR #5663 from @EzLucky - improve coverage of werfaultsecure in EDR process freeze rule
...
update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-17 07:23:23 +05:45
0f1691dc35
Merge PR #5699 from @nasbench - fix overlap of strings to reduce FPs
...
fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
2025-10-16 13:47:17 +02:00
b9a91bb064
Merge PR #5690 from @swachchhanda000 - fix: wsl fp on system execution anomaly detection
...
fix: System File Execution Location Anomaly - add filter for wsl fps
2025-10-16 11:00:11 +05:45
f6c5c4f68a
Merge PR #5694 from @swachchhanda000 - fix: remove + characters from selectors
...
fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
2025-10-16 10:57:28 +05:45
b4c6facc1d
Merge PR #5693 from @nasbench - chore: archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-15 09:51:23 +02:00
b242175fe4
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
...
chore: update evtx baseline to v0.8.2 and fix FPs
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-09 13:03:39 +02:00
90fe2d9e81
Merge PR #5640 from @swachchhanda000 - IIS WebServer Log Deletion via CommandLine Utilities
...
new: IIS WebServer Log Deletion via CommandLine Utilities
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-07 10:56:48 +02:00
30e2afb165
Merge PR #5670 from @david-syk - add lateral movement mitre att&ck tag
...
chore: Hacktool Ruler - add lateral movement mitre att&ck tag
2025-10-02 12:04:12 +02:00
d27d120401
Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
...
Create Release / Create Release (push) Has been cancelled
new: MMC Loading Script Engines DLLs
new: Potentially Suspicious Child Processes Spawned by ConHost
new: Scheduled Task Creation Masquerading as System Processes
new: Schtasks Curl Download and Powershell Execution Combination
new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
update: Potential Defense Evasion Via Right-to-Left Override - add `[U+202E]`
update: Potential File Extension Spoofing Using Right-to-Left Override - add `[U+202E]` and more extensions
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 14:16:23 +02:00
cda3c76e41
Merge PR #5257 from @swachchhanda000 - Security Event Logging Disabled Via MiniNt Registry Key
...
new: Security Event Logging Disabled Via MiniNt Registry Key - Process
new: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 14:04:22 +02:00
aecbc1563c
Merge PR #5387 from @swachchhanda000 - SAP NetWeaver Webshell
...
new: Potential SAP NetWeaver Webshell Creation - Linux
new: Potential SAP NetWeaver Webshell Creation
new: Suspicious Child Process of SAP NetWeaver - Linux
new: Suspicious Child Process of SAP NetWeaver
2025-10-01 12:57:42 +02:00
bc8224e2a5
Merge PR #5379 from @swachchhanda000 - NodeJS Execution of JavaScript
...
new: NodeJS Execution of JavaScript File
new: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 12:18:11 +02:00
0b97c2b8a2
Merge PR #5577 from @josamontiel - Potential Hello-World Scraper Botnet Activity
...
new: Potential Hello-World Scraper Botnet Activity
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-01 11:58:24 +02:00
5a5cb056bd
Merge PR #5594 from @vl43den - Update Suspicious Get Local Groups Information
...
update: Suspicious Get Local Groups Information - PowerShell - increase coverage for WMI modules
update: Suspicious Get Local Groups Information - increase coverage for WMI modules
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-01 11:50:48 +02:00
9ef186d3dd
Merge PR #5599 from @swachchhanda000 - fix FPs around pyinstaller
...
fix: Potential Python DLL SideLoading - add FP filter caused by pyinstaller bundled applications
update: Python Image Load By Non-Python Process - update the metadata
fix: HackTool - LaZagne Execution - remove imphashes common to pyinstaller bundled executables
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 11:46:41 +02:00
ab61898690
Merge PR #5602 from @Neo23x0 - FPs with mknod
...
fix: UNC4841 - Barracuda ESG Exploitation Indicators - FPs with mknod on Linux systems
2025-10-01 11:28:58 +02:00
27be608a2e
Merge PR #5619 from @YxinMiracle - Suspicious Uninstall of Windows Defender Feature via PowerShell
...
new: Suspicious Uninstall of Windows Defender Feature via PowerShell
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-01 10:54:12 +02:00
c9fd8a6665
Merge PR #5647 from @ JasonPhang98 - MacOS FileGrabber Infostealer
...
new: MacOS FileGrabber Infostealer
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: swachchhanda000 <swachchhandashrawan@gmail.com >
2025-10-01 10:13:09 +02:00
797f098008
Merge PR #5665 from @phantinuss - Update ATT&CK Heatmap Coverage
...
chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 10:07:31 +02:00
8af85d0218
Merge PR #5666 from @nasbench - chore: promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-01 10:03:28 +02:00
019971e1c9
Merge PR #5667 from @nasbench - chore: archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-01 10:01:54 +02:00
1cdf898681
Merge PR #5664 from @ norbert791 - update DNS detections
...
update: DNS TOR Proxies - update detection logic
update: Query Tor Onion Address - DNS Client - update detection logic
update: DNS Query Tor .Onion Address - Sysmon - update detection logic
---------
Co-authored-by: Norbert Jaśniewicz (AlphaSOC) <norbert.jasniewicz@alphasoc.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-01 10:00:15 +02:00
a61da2863a
Merge PR #5656 from @0xbcf - Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
...
new: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
---------
Co-authored-by: Jason <jason@digitalosprey.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-25 09:56:37 +02:00
0d9c63eb1c
Merge PR #5391 from @gkazimiarovich - Suspicious Creation of .library-ms File (CVE-2025-24054)
...
new: Suspicious Creation of .library-ms File - Potential CVE-2025-24054 Exploit
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 12:55:51 +02:00
d698b3a8aa
Merge PR #5253 from @EzLucky - Potential PowerShell Console History File Access Attempt
...
new: Potential PowerShell Console History File Access Attempt
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 12:53:59 +02:00
a849e8bb10
Merge PR #5244 from @swachchhanda000 - Potential ClickFix Execution Pattern - Registry
...
new: Potential ClickFix Execution Pattern - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-09-22 12:52:38 +02:00
f5f5b7bef2
Merge PR #5442 from @egycondor - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
...
new: Remote Access Tool - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 12:47:36 +02:00
042b8dfd0c
Merge PR #5576 from @nisargsuthar - CrushFTP RCE vulnerability CVE-2025-54309
...
new: CrushFTP RCE vulnerability CVE-2025-54309
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-09-22 12:37:59 +02:00
ac177f15b1
Merge PR #5587 from @0xPrashanthSec - FunkLocker Ransomware File Creation
...
new: FunkLocker Ransomware File Creation
---------
Co-authored-by: Prashanth Pulisetti <40313110+prashanthpulisetti@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-09-22 12:37:10 +02:00
ab428698ab
Merge PR #5567 from @ Koifman - Registry Manipulation via WMI Stdregprov
...
new: Registry Manipulation via WMI Stdregprov
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 12:35:38 +02:00
6e829166f8
Merge PR #5588 from @ norbert791 - Low Reputation Effective Top-Level Domain (eTLD)
...
new: Low Reputation Effective Top-Level Domain (eTLD)
---------
Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: swachchhanda000 <swachchhandashrawan@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-09-22 12:26:22 +02:00
d8f83b0b4d
Merge pull request #5586 from swachchhanda000/fix_tmp_fp
...
fix: potentially suspicious execution from tmp folder
2025-09-22 16:07:35 +05:45
8372e76e9b
Merge PR #5629 from @swachchhanda000 - increase rule coverage
...
update: Regsvr32 DLL Execution With Suspicious File Extension - add coverage for regsvr executing '.log' extension
update: Suspicious Windows Service Tampering - add coverage for Windows service tampering through wmic and PowerShell WMI module
2025-09-22 12:18:11 +02:00
d2dcc579e8
Merge PR #5631 from @ david-syk - remove trailing slash
...
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-09-22 12:15:35 +02:00
fe015f3c24
Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling
...
new: Suspicious Velociraptor Child Process
update: Visual Studio Code Tunnel Execution - remove optional flag '--name'
update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
2025-09-22 12:13:07 +02:00
c250aec299
Merge PR #5644 from @M1ra1B0T - Update Provider Name for Kerberos based rules
...
update: Certificate Use With No Strong Mapping - Update Provider Name
update: KDC RC4-HMAC Downgrade CVE-2022-37966 - Update Provider Name
update: No Suitable Encryption Key Found For Generating Kerberos Ticket - Update Provider Name
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-09-22 11:50:48 +02:00
35d80c39bd
Merge PR #5175 from @netgrain - Add WDAC Policy File Creation In CodeIntegrity Folder
...
new: WDAC Policy File Creation In CodeIntegrity Folder
---------
Co-authored-by: Andreas Braathen <andreasb@mnemonic.io >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 11:48:53 +02:00
6c26cf1be9
Merge PR #5639 from @swachchhanda000 - Fix some more fps found in prod
...
fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
fix: New Service Creation Using Sc.EXE - add filter for dropbox
fix: Potential PsExec Remote Execution - add filter for localhost
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
2025-09-22 11:46:48 +02:00
12d87e7690
Merge PR #5636 from @phantinuss - Update ATT&CK Heatmap Coverage
...
* chore: update ATT&CK heatmap
* chore: update heatmap SVG
* chore: tweak output for attack map svg
---------
Co-authored-by: phantinuss <phantinuss@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-09-22 11:42:05 +02:00
8062eadcc5
Merge PR #5637 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-09-22 11:41:37 +02:00
f76a82ddc9
Merge PR #5638 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-09-22 11:41:18 +02:00
15b9599eb0
Change alert level from high to medium
2025-08-29 10:34:46 +02:00
1751ef8673
Merge PR #5597 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-08-29 10:31:14 +02:00
fe5e698723
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
...
chore: this reverts commit 8a2e4c16b9
2025-08-28 20:11:57 +02:00
8a2e4c16b9
Merge PR #5628 from @phantinuss - chore: improve windash order in modifiers
...
chore: improve windash order in modifiers
2025-08-26 11:46:36 +02:00
peterydzynski