security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,591 Commits 1 Branch 57 Tags
8b41e6bfdf80e29005ce5a6065caac3ff0b0cc64
Commit Graph

5088 Commits

Author SHA1 Message Date
Jason Vasquez 5c39e25d99 Merge PR #5251 from @vasquja - improve regex to correctly detect hex IPv4 addresses 
fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-17 08:26:34 +05:45
Swachchhanda Shrawan Poudel c3b0256d71 Merge PR #5517 from @swachchhanda000 - fix: office 365 apps related false-positives 
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-17 07:57:13 +05:45
EzLucky ff558d8561 Merge PR #5663 from @EzLucky - improve coverage of werfaultsecure in EDR process freeze rule 
update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-17 07:23:23 +05:45
Nasreddine Bencherchali 0f1691dc35 Merge PR #5699 from @nasbench - fix overlap of strings to reduce FPs 
fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
 2025-10-16 13:47:17 +02:00
Swachchhanda Shrawan Poudel b9a91bb064 Merge PR #5690 from @swachchhanda000 - fix: wsl fp on system execution anomaly detection 
fix: System File Execution Location Anomaly - add filter for wsl fps
 2025-10-16 11:00:11 +05:45
swachchhanda000 f6c5c4f68a Merge PR #5694 from @swachchhanda000 - fix: remove + characters from selectors 
fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
 2025-10-16 10:57:28 +05:45
phantinuss b242175fe4 Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2 
chore: update evtx baseline to v0.8.2 and fix FPs
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-09 13:03:39 +02:00
Swachchhanda Shrawan Poudel 90fe2d9e81 Merge PR #5640 from @swachchhanda000 - IIS WebServer Log Deletion via CommandLine Utilities 
new: IIS WebServer Log Deletion via CommandLine Utilities
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-07 10:56:48 +02:00
Swachchhanda Shrawan Poudel d27d120401 Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques
Create Release / Create Release (push) Has been cancelled
Details 
new: MMC Loading Script Engines DLLs
new: Potentially Suspicious Child Processes Spawned by ConHost
new: Scheduled Task Creation Masquerading as System Processes
new: Schtasks Curl Download and Powershell Execution Combination
new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
update: Potential Defense Evasion Via Right-to-Left Override - add `[U+202E]`
update: Potential File Extension Spoofing Using Right-to-Left Override - add `[U+202E]` and more extensions

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-01 14:16:23 +02:00
Swachchhanda Shrawan Poudel cda3c76e41 Merge PR #5257 from @swachchhanda000 - Security Event Logging Disabled Via MiniNt Registry Key 
new: Security Event Logging Disabled Via MiniNt Registry Key - Process
new: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-01 14:04:22 +02:00
Swachchhanda Shrawan Poudel bc8224e2a5 Merge PR #5379 from @swachchhanda000 - NodeJS Execution of JavaScript 
new: NodeJS Execution of JavaScript File
new: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-01 12:18:11 +02:00
Swachchhanda Shrawan Poudel 9ef186d3dd Merge PR #5599 from @swachchhanda000 - fix FPs around pyinstaller 
fix: Potential Python DLL SideLoading - add FP filter caused by pyinstaller bundled applications
update: Python Image Load By Non-Python Process - update the metadata
fix: HackTool - LaZagne Execution - remove imphashes common to pyinstaller bundled executables
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-10-01 11:46:41 +02:00
YxinMiracle 27be608a2e Merge PR #5619 from @YxinMiracle - Suspicious Uninstall of Windows Defender Feature via PowerShell 
new: Suspicious Uninstall of Windows Defender Feature via PowerShell
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-01 10:54:12 +02:00
github-actions[bot] 8af85d0218 Merge PR #5666 from @nasbench - chore: promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-01 10:03:28 +02:00
Jason a61da2863a Merge PR #5656 from @0xbcf - Suspicious Process Suspension via WERFaultSecure through EDR-Freeze 
new: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze

---------

Co-authored-by: Jason <jason@digitalosprey.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-09-25 09:56:37 +02:00
EzLucky d698b3a8aa Merge PR #5253 from @EzLucky - Potential PowerShell Console History File Access Attempt 
new: Potential PowerShell Console History File Access Attempt

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-09-22 12:53:59 +02:00
egycondor f5f5b7bef2 Merge PR #5442 from @egycondor - TacticalRMM Agent Registration to Potential Attacker-Controlled Server 
new: Remote Access Tool - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-09-22 12:47:36 +02:00
Koifman ab428698ab Merge PR #5567 from @ Koifman - Registry Manipulation via WMI Stdregprov 
new: Registry Manipulation via WMI Stdregprov
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-09-22 12:35:38 +02:00
Swachchhanda Shrawan Poudel 8372e76e9b Merge PR #5629 from @swachchhanda000 - increase rule coverage 
update: Regsvr32 DLL Execution With Suspicious File Extension - add coverage for regsvr executing '.log' extension
update: Suspicious Windows Service Tampering - add coverage for Windows service tampering through wmic and PowerShell WMI module
 2025-09-22 12:18:11 +02:00
david-syk d2dcc579e8 Merge PR #5631 from @ david-syk - remove trailing slash 
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-09-22 12:15:35 +02:00
Swachchhanda Shrawan Poudel fe015f3c24 Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling 
new: Suspicious Velociraptor Child Process
update: Visual Studio Code Tunnel Execution - remove optional flag '--name'
update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
 2025-09-22 12:13:07 +02:00
Swachchhanda Shrawan Poudel 6c26cf1be9 Merge PR #5639 from @swachchhanda000 - Fix some more fps found in prod 
fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
fix: New Service Creation Using Sc.EXE - add filter for dropbox
fix: Potential PsExec Remote Execution - add filter for localhost
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
 2025-09-22 11:46:48 +02:00
github-actions[bot] 8062eadcc5 Merge PR #5637 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-09-22 11:41:37 +02:00
phantinuss fe5e698723 Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers" 
chore: this reverts commit 8a2e4c16b9.
 2025-08-28 20:11:57 +02:00
phantinuss 8a2e4c16b9 Merge PR #5628 from @phantinuss - chore: improve windash order in modifiers 
chore: improve windash order in modifiers
 2025-08-26 11:46:36 +02:00
phantinuss 4f4f468c4a Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10 
chore: bump pySigma-validators-sigmahq to 0.10
 2025-08-14 14:29:11 +02:00
Koifman 631a23d33c Merge PR #5569 from @Koifman - Add Windows Recovery Environment Disabled Via Reagentc 
new: Windows Recovery Environment Disabled Via Reagentc

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasreddineb@splunk.com>
 2025-08-14 14:27:53 +02:00
Liran Ravich c71512aa86 Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules 
chore: update MITRE ATT&CK tags for multiple rules
 2025-08-14 14:08:21 +02:00
github-actions[bot] e8fed8709c Merge PR #5572 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:05:46 +02:00
Koifman 73444cac35 Merge PR #5568 from @Koifman - Password Never Expires Set via WMI 
new: Password Never Expires Set via WMI
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-31 12:28:06 +02:00
Swachchhanda Shrawan Poudel 1e41c5378e Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules 
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:32:57 +02:00
Matt Anderson af492dc0f6 Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion 
new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
new: Windows Defender Context Menu Removed via Reg.exe
new: Disabling Windows Defender WMI Autologger Session via Reg.exe
new: Delete Defender Scan ShellEx Context Menu Registry Key
new: Windows Defender Default Threat Action Modified

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:25:23 +02:00
Swachchhanda Shrawan Poudel 80879020da Merge PR #5524 from @swachchhanda000 - add 7za to Renamed 7-Zip Execution 
update: Potential Defense Evasion Via Binary Rename - add 7za
 2025-07-16 13:34:33 +02:00
Swachchhanda Shrawan Poudel b7f52495c6 Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs 
fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
fix: COM Hijacking via TreatAs - Add filter for integrator.exe
fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
update: System File Execution Location Anomaly - add taskhostw

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:04:39 +02:00
Arnim Rupp 3f3b1540a0 Merge PR #5518 from @ruppde - new rule and updates for ADExplorer 
new: ADExplorer Writing Complete AD Snapshot Into .dat File
update: Active Directory Database Snapshot Via ADExplorer - add more selections
update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:02:18 +02:00
Rory dc017f694a Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task 
new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 11:14:40 +02:00
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Has been cancelled
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
Mohamed Ashraf fa9c495aa2 Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI 
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
 2025-07-07 12:19:55 +02:00
David Faiß 0e33642058 Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter 
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-03 11:57:48 +02:00
Swachchhanda Shrawan Poudel 2845e845ee Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS 
new: HackTool - Doppelanger LSASS Dumper Execution
new: HackTool - HollowReaper Execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-03 11:55:58 +02:00
Swachchhanda Shrawan Poudel 7a81b073e0 Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-07-03 09:40:29 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Alfie Champion 8d18ec7df0 Merge PR #5503 from @ajpc500 - include cmd.exe child process 
update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:21:27 +02:00
Mathieu c11a785973 Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers 
new: FileFix - Suspicious Child Process from Browser File Upload Abuse

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-27 12:40:44 +02:00
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
Swachchhanda Shrawan Poudel 6010717912 Merge PR #5488 from @swachchhanda000 - Trusted path bypass 
new: Trusted Path Bypass via Windows Directory Spoofing
update: TrustedPath UAC Bypass Pattern - update Image value
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 12:35:51 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Swachchhanda Shrawan Poudel cc747ed2e9 Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection 
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
 2025-06-12 12:51:36 +02:00