96c0fa6176
Merge PR #5846 from @marcopedrinazzi - Add Suspicious Email Delivered In Microsoft 365
...
new: Suspicious Email Delivered In Microsoft 365
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-04-28 00:33:23 +02:00
8315489a07
Merge PR #5828 from @Zirbo - Update Shell Invocation via Env Command - Linux
...
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-28 00:31:41 +02:00
570200b711
Merge PR #5952 from @Sanskar-bot - Update PowerShell Download Via Net.WebClient - PowerShell Classic
...
update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:30:25 +02:00
81dce222fd
Merge PR #5953 from @Sanskar-bot - Update MITRE Tags for Netcat The Powershell Version
...
chore: update mitre tags for `Netcat The Powershell Version`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:29:22 +02:00
cd26c0a799
Merge PR #5815 from @swachchhanda000 - Update and Add Autologger related rules
...
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:17:40 +02:00
ca8e778476
Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data
...
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-28 00:10:09 +02:00
3a0fbc4bfa
Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading
...
new: Potential Vcruntime140 DLL Sideloading
2026-04-27 23:55:25 +02:00
180991bc81
Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules
...
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:43:22 +02:00
1a51d53e9f
Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS
...
new: PUA - Memory Dump Mount Via MemProcFS
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:30:50 +02:00
ff107c3fe1
Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand
...
new: Indirect Command Execution via SFTP ProxyCommand
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-27 22:26:12 +02:00
f627ff2270
Merge PR #5964 from @mostafa - Update Okta Rules to use CamelCase fields
...
update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
2026-04-27 21:55:40 +02:00
cf9759946f
Merge PR #5399 from @swachchhanda000 - Update LSA PPL Protection Setting Modification via CommandLine
...
update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-24 19:48:55 +02:00
5655f590d7
Added VSCode config to .gitignore
2026-04-24 09:00:48 +02:00
03412947a2
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
...
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 15:02:24 +02:00
c801be9f3d
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
...
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux
---------
Co-authored-by: Hugh <HueCodes@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 14:37:28 +02:00
fc1cf467f4
Merge PR #5905 from @swachchhanda000 - fix: notepad++ gup infrastructure abuse FPs
...
fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
2026-04-21 12:33:55 +02:00
c58ee2f7f8
Merge PR #5938 from @marcopedrinazzi - Fix file extension from .yaml to .yml for consistency
...
chore: changed extension from yaml to yml for certain files
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-20 14:44:21 +02:00
889b07d952
Merge PR #5943 from @swachchhanda000 - Add regression test count mismatch finder
...
chore: regression test count mismatch finder
2026-04-20 14:38:44 +02:00
c3ad686ac4
Merge PR #5935 from @swachchhanda000 - Fix Registry Tampering by Potentially Suspicious Processes
...
fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-14 14:49:20 +02:00
d4d12bdd13
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
...
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-01 13:57:31 +02:00
7fc53c563e
Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder
...
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Thanks: @marius-benthin
2026-04-01 13:55:12 +02:00
7031934d17
Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege
...
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-01 13:36:52 +02:00
3fe2695635
Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed
...
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
2026-04-01 13:16:52 +02:00
4bb5637b23
Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules
...
new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
new: LiteLLM / TeamPCP Supply Chain Attack Indicators
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-01 13:11:45 +02:00
c6d03adc7b
Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration
...
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
2026-04-01 12:35:29 +02:00
858b04b66a
Merge PR #5926 from @phantinuss - Update ATT&CK Heatmap Coverage
...
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-01 12:34:21 +02:00
11f1fa4e2c
Merge PR #5927 from @nasbench - Update deprecated csv
...
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-04-01 12:32:09 +02:00
71f1120dc6
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
...
new: Axios NPM Compromise File Creation Indicators - Linux
new: Axios NPM Compromise File Creation Indicators - MacOS
new: Axios NPM Compromise File Creation Indicators - Windows
new: Axios NPM Compromise Malicious C2 Domain DNS Query
new: Axios NPM Compromise Indicators - Linux
new: Axios NPM Compromise Indicators - MacOS
new: Axios NPM Compromise Indicators - Windows
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-04-01 12:31:31 +02:00
2f84ca2f16
Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules
...
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-03-30 12:27:13 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
a15dbdaa05
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
...
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
2026-03-19 10:26:30 +01:00
c2ba39f94b
Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4
...
chore: bump evtx-baseline version to 0.8.4
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-03-13 15:04:24 +01:00
3c2407864e
Merge PR #5857 from @swachchhanda000 - chore: add missing json logs
...
chore: add missing json logs
2026-03-03 12:01:07 +01:00
37fe8969ae
Merge PR #5890 from @nasbench - chore: archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2026-03-02 13:42:54 +01:00
1aae4b0603
Merge PR #5889 from @phantinuss - Update ATT&CK Heatmap Coverage
...
* chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-03-02 13:38:30 +01:00
b596e1a7d0
Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules
...
remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2026-03-01 04:16:06 +01:00
084204d06a
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
...
new: System Language Discovery via Reg.Exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:55:40 +01:00
5f5e72cff7
Merge PR #5885 from @djlukic - Add New FP Filters
...
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:47:59 +01:00
3fb14d9544
Merge PR #5844 from @marcopedrinazzi - Add Inbox Rules Creation Or Update Activity in O365
...
new: Inbox Rules Creation Or Update Activity in O365
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:32:33 +01:00
41c8116d0e
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
...
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:21:29 +01:00
6db81c99bd
Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature
...
new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:12:49 +01:00
086a362b0f
Merge PR #5875 from @Neo23x0 - Fix BloodHound Collection Files
...
fix: BloodHound Collection Files - Remove entry `_domains.json` due to FP rate.
2026-02-28 14:06:13 +01:00
dc3880459d
Merge PR #5863 from @swachchhanda000 - Add finger.exe to related rules
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
2026-02-16 12:50:13 +01:00
14d11fdda7
Merge PR from @swachchhanda000 - SolarWinds WebHelpDesk RCE Vulnerabilites Exploitation
...
new: Suspicious Child Process of SolarWinds WebHelpDesk
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-02-13 07:21:03 +05:45
1df103ce6d
Merge PR #5852 from @nasbench - Open Archive New Rule References
...
chore: archive new rule references and update cache file
-----
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-02-10 14:48:39 +05:45
02f6d3716d
Merge #5851 from @nasbench - Update deprecated csv
...
chore: update deprecated.csv and deprecated.json
------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-02-10 14:44:07 +05:45
76f4a42ebb
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
...
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe
---------
Co-authored-by: nasbench <nbencher@cisco.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-04 12:08:03 +01:00
fb37712ca7
Merge PR #5850 from @phantinuss - Update ATT&CK Heatmap Coverage
...
* chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-03 11:33:49 +01:00
478120e7d2
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-01-29 12:52:08 +01:00
c6a32d96cf
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
...
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:38:48 +01:00
Marco Pedrinazzi