security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,130 Commits 1 Branch 57 Tags
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
Commit Graph

103 Commits

Author SHA1 Message Date
pratinavchandra e1a713d264 Merge PR #4823 from @pratinavchandra - Update CLI flag for Gatekeeper Bypass via Xattr 
update: Gatekeeper Bypass via Xattr - Update command line flag 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-04-19 11:10:38 +02:00
Josh 68511f711f Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity 
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-15 21:41:29 +01:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
Stephen Lincoln e62c700822 Merge PR #4649 from @slincoln-aiq - System Information Discovery Using System_Profiler 
new: System Information Discovery Using System_Profiler

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 14:29:49 +01:00
Stephen Lincoln 2abda43af9 Merge PR #4645 from @slincoln-aiq - Update: System Information Discovery Using Ioreg 
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-01-10 14:00:01 +01:00
jstnk9 1e37964530 Merge PR #4640 from @jstnk9 - Add new rules related to System Integrity Protection (SIP) enumeration and tamper 
new: System Integrity Protection (SIP) Enumeration
new: System Integrity Protection (SIP) Disabled 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-10 13:36:06 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
jstnk9 3bb3b9cb5b Merge PR #4615 from @jstnk9 - Update WMIC Discovery Rule + New System Discovery Rules For MacOS 
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: Potential Base64 Decoded From Images
new: System Information Discovery Via Wmic.EXE
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-21 11:09:47 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
phantinuss 2a2db295ce Merge pull request #4155 from D4rkCiph3r/patch-5 
Update proc_creation_macos_add_to_admin_group.yml
 2023-08-23 08:57:45 +02:00
phantinuss ea5db35a52 Merge pull request #4127 from D4rkCiph3r/in-memory-payload 
Create proc_creation_macos_in-memory_payload_transfer.yml
 2023-08-23 08:57:23 +02:00
Nasreddine Bencherchali d53f063141 feat: update metadata 2023-08-22 18:22:05 +02:00
Nasreddine Bencherchali 32800437c9 Update proc_creation_macos_dseditgroup_add_to_admin_group.yml 2023-08-22 17:55:17 +02:00
Nasreddine Bencherchali 0f1f792ef9 chore: split rules 2023-08-22 17:48:06 +02:00
Nasreddine Bencherchali 68f843ce2c Merge pull request #4300 from gr00T0x/jamf 
feat: add rules related to jamf usage and potential abuse
 2023-08-22 15:38:35 +02:00
Nasreddine Bencherchali 7881df8591 Merge pull request #4055 from D4rkCiph3r/root_enable 
feat: add new to enable root account via dsenableroot
 2023-08-22 15:10:26 +02:00
Nasreddine Bencherchali ae71649ff5 Update rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml 2023-08-22 15:09:42 +02:00
phantinuss 785ea520dd fix: wording 2023-08-22 14:56:25 +02:00
phantinuss 9cb0c4d1ac fix: wording 2023-08-22 14:55:30 +02:00
Nasreddine Bencherchali b14769e684 feat: update metadata & logic 2023-08-22 14:34:20 +02:00
Nasreddine Bencherchali 4e75c3b2dc feat: update detection & metadata 2023-08-22 13:51:14 +02:00
gr00t fe26aabf6a Update proc_creation_macos_usage_of_jamf.yml 2023-06-08 12:43:54 +01:00
gr00t 97cb0ad683 Create proc_creation_macos_usage_of_jamf.yml 2023-06-07 16:46:36 +01:00
D4rkCiph3r e32b39d855 feat: new macos rule Suspicious Browser Child Process (#4053) 2023-04-05 14:58:09 +02:00
D4rkCiph3r 5d1130262f feat: new rule proc_creation_macos_suspicious_applet_behaviour.yml (#4126) 2023-04-03 12:27:17 +02:00
D4rkCiph3r 3662498137 Update proc_creation_macos_add_to_admin_group.yml 2023-03-30 11:34:38 +05:30
D4rkCiph3r 401c147f70 Update proc_creation_macos_enable_root_account.yml 2023-03-30 11:33:57 +05:30
D4rkCiph3r f6a78028d1 Update proc_creation_macos_enable_root_account.yml 
Removed a couple of detections, as I have moved them over to this rule "proc_creation_macos_add_to_admin_group".
 2023-03-30 11:32:53 +05:30
D4rkCiph3r 6a9d887c47 Update proc_creation_macos_add_to_admin_group.yml 
Restructured another detection from this rule "proc_creation_macos_enable_root_account.yml"(PR Pending) to here.
 2023-03-30 11:26:52 +05:30
D4rkCiph3r da468ec37a feat: new rule proc_creation_macos_add_to_admin_group.yml (#4121) 2023-03-21 11:29:42 +01:00
D4rkCiph3r 24432424c0 Rename proc_creation_macos_in-memory_payload_transfer.yml to proc_creation_macos_ingress_payload_transfer.yml 
Updated filename as per test run failure
 2023-03-20 23:35:32 +05:30
D4rkCiph3r f4b0264a83 Create proc_creation_macos_in-memory_payload_transfer.yml 2023-03-20 23:21:36 +05:30
Nasreddine Bencherchali 137dcbcc50 feat: more updates and fixes 2023-02-28 15:22:25 +01:00
phantinuss db4fb9ff8e Merge pull request #4056 from D4rkCiph3r/installer-child 
Create proc_creation_macos_susp_installer_child_process.yml
 2023-02-22 09:04:58 +01:00
Nasreddine Bencherchali 275748b671 fix: add missing space + rename file 2023-02-21 23:29:47 +01:00
Nasreddine Bencherchali 8220d9b5b2 fix: add slash to image field 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-21 23:17:09 +01:00
D4rkCiph3r ecdc93cdf0 Update proc_creation_macos_enable_root_account.yml 
Corrected the condition and selection's naming
 2023-02-21 11:12:02 +05:30
D4rkCiph3r 848a64fa69 Create proc_creation_macos_persistence_via_plistbuddy.yml (#4057) 2023-02-20 14:15:31 +01:00
D4rkCiph3r d0af939108 Create proc_creation_macos_enable_guest_account.yml (#4054) 2023-02-20 14:13:52 +01:00
D4rkCiph3r f9a73c7a79 Update proc_creation_macos_create_account.yml (#4052) 2023-02-20 14:13:06 +01:00
D4rkCiph3r 97e2717343 Update proc_creation_macos_susp_installer_child_process.yml 
Updated the selection syntax
 2023-02-20 18:19:43 +05:30
D4rkCiph3r b3154cf465 Update proc_creation_macos_enable_root_account.yml 
Updated the selections and condition as suggested.
 2023-02-20 18:14:51 +05:30
frack113 cd16dff85d Update rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml 2023-02-20 06:32:47 +01:00
D4rkCiph3r c016748316 Update proc_creation_macos_susp_installer_child_process.yml 2023-02-18 19:10:01 +05:30
D4rkCiph3r cc5bce2035 Create proc_creation_macos_susp_installer_child_process.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)

Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 19:04:22 +05:30
D4rkCiph3r f275a6a3cd Create proc_creation_macos_enable_root_account.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1078, T1078.001)

Detailed Description of the Pull Request / Additional comments: 
The rule helps detect attempts to enable/add an account to the admin group, thus granting the root privilege using various utilities such as dsenableroot, dseditgroup and dscl

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 18:20:18 +05:30
Nasreddine Bencherchali 2ae212f5ab fix: remove unnecessary filter 2023-02-17 21:36:54 +01:00