security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,507 Commits 1 Branch 57 Tags
a55bc212ad50e92aed59adf9b2842b818ef38b5c
Commit Graph

16507 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Waiting to run
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
r2025-07-08 		2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
Alfie Champion 75d03ebfb9 Merge PR #5514 from @ajpc500 - Add Filefix TypedPaths Registry rule 
new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-08 10:09:51 +02:00
Mohamed Ashraf fa9c495aa2 Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI 
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
 2025-07-07 12:19:55 +02:00
GrepItAll f8b17bff8c Merge PR #5512 from @GrepItAll - fix: use the correct PreAuthType selection field name 
fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-07 10:25:39 +02:00
Grégory Wychowaniec 0597250ee1 Merge PR #5511 from @gregorywychowaniec-zt - add null condition in addition to empty string 
update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-03 11:58:57 +02:00
David Faiß 0e33642058 Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter 
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-03 11:57:48 +02:00
Swachchhanda Shrawan Poudel 2845e845ee Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS 
new: HackTool - Doppelanger LSASS Dumper Execution
new: HackTool - HollowReaper Execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-03 11:55:58 +02:00
Swachchhanda Shrawan Poudel 7a81b073e0 Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-07-03 09:40:29 +02:00
Mohamed Ashraf e597e13d6c Merge PR #5508 by @X-Junior - add CLSIDs to COM Object Hijacking 
update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - add CLSIDs
 2025-07-01 11:47:23 +02:00
github-actions[bot] ff2c7bf284 Merge PR #5507 from @nasbench - archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:53:58 +02:00
github-actions[bot] be3f2bc7bd Merge PR #5505 from @phantinuss - Update ATT&CK Heatmap Coverage 
chore: update ATT&CK heatmap
chore: add updated ATT&CK coverage image
chore: point heatmap link to master

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:48:15 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Swachchhanda Shrawan Poudel 2610f580d8 Merge PR #5500 from @swachchhanda000 - Potential Notepad++ CVE-2025-49144 Exploitation 
new: Potential Notepad++ CVE-2025-49144 Exploitation
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:22:35 +02:00
Alfie Champion 8d18ec7df0 Merge PR #5503 from @ajpc500 - include cmd.exe child process 
update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:21:27 +02:00
Mathieu c11a785973 Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers 
new: FileFix - Suspicious Child Process from Browser File Upload Abuse

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-27 12:40:44 +02:00
hashdr1ft 8fd6a5167d Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget 
new: Suspicious Download and Execute Pattern via Curl/Wget

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 12:48:57 +02:00
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00
Cameron Roberts bdba8881c8 Merge PR #5213 from @JrOrOneEquals1 - Workflow to update ATT%CK heatmap json 
chore: workflow - auto-update ATT&CK heatmap
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 13:16:34 +02:00
Swachchhanda Shrawan Poudel 6010717912 Merge PR #5488 from @swachchhanda000 - Trusted path bypass 
new: Trusted Path Bypass via Windows Directory Spoofing
update: TrustedPath UAC Bypass Pattern - update Image value
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 12:35:51 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
phantinuss 39537caa0d Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern 
fix: Hidden Files and Directories - reduce FP matching with regex pattern
 2025-06-24 10:35:56 +02:00
Swachchhanda Shrawan Poudel db77b97a25 Merge PR #5222 from @swachchhanda000 - fix FPs in rules related to remote thread creation 
fix: Uncommon AppX Package Locations - add a new filter to reduce noise
fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-23 11:43:43 +02:00
norbert791 b2acd80098 Merge PR #5483 from @norbert791 - Add AlphaSOC to the list of products that use or integrate sigma rules 
chore: README.md - add 'AlphaSOC' to the 'Projects or Products that use or integrate Sigma rules'
 2025-06-16 13:47:13 +02:00
Grégory Wychowaniec 002f3e5961 Merge PR #5485 from @gregorywychowaniec-zt - Update registry_set rules to add 64 bits Program Files directory in filters 
fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
 2025-06-16 13:42:00 +02:00
github-actions[bot] df556b9675 Merge PR #5480 from @phantinuss - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2025-06-16 12:55:39 +02:00
Swachchhanda Shrawan Poudel 8721fa654c Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability 
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-13 13:30:14 +02:00
Ariel Otilibili a1c9827a35 Merge PR #5402 from @ariel-anieli - feat: add JSON output format for deprecated rule summary 
chore: tests/deprecated_rules.py - add json output format
chore: add deprecated/deprecated.json
chore: update README and workflow job accordingly

---------

Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-13 10:59:34 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
unicornofhunt 0d8580a55f Merge PR #5434 from @unicornofhunt - Adding BITS DLL rule 
new: BITS Client BitsProxy DLL Loaded By Uncommon Process

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-12 13:57:30 +02:00
Swachchhanda Shrawan Poudel cc747ed2e9 Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection 
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
 2025-06-12 12:51:36 +02:00
phantinuss dbf8921652 chore: fix typo as suggested in #5472 2025-06-12 12:41:09 +02:00
lazarg dca02df740 Merge PR #5243 from @xlazarg - System Information Discovery via Registry Queries 
new: System Information Discovery via Registry Queries

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-12 12:31:43 +02:00
egycondor d242edfd5e Merge PR #5453 from @egycondor - DNS Query To Common Malware Hosting and Shortener Services 
new: DNS Query To Common Malware Hosting and Shortener Services
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-06-12 12:31:03 +02:00
frack113 b7908efab9 Merge PR #5473 from @frack113 - chore: add ET and TH tags 
chore: Add emerging-threats tags
chore: Add threat-hunting tags
 2025-06-12 10:21:24 +02:00
Swachchhanda Shrawan Poudel d44c380d8c Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added 
update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:30:31 +02:00
Swachchhanda Shrawan Poudel 73ce21b574 Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs 
new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:28:24 +02:00
frack113 3183768be3 Merge PR #4901 from @frack113 - Regasm Without CommandLine 
new: RegAsm.EXE Execution Without CommandLine Flags or Files

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-11 11:25:56 +02:00
Gameel Ali 12d68aca19 Merge PR #5148 from @MalGamy12 - Update Suspicious Windows Defender Registry Key Tampering Via Reg.EXE 
update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
dan21san fd62c55e47 Merge PR #5221 from @dan21san - MSSQL Destructive Query 
new: MSSQL Destructive Query
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
Swachchhanda Shrawan Poudel 8cfa4fbd1c Merge PR #5225 from @swachchhanda000 - Lazagne rule update 
update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:25:51 +02:00
Swachchhanda Shrawan Poudel d35b514a16 Merge PR #5412 from @swachchhanda000 - feat: add more susp registry modifications associated with feature change of windows internal tools 
update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:25:45 +02:00
Milad Cheraghi ff60fa5f91 Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall 
new: System Info Discovery via Sysinfo Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:53:57 +02:00
Swachchhanda Shrawan Poudel 3eb0198939 Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation 
update: Suspicious Double Extension Files: add more suspicious extension combination
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
update: Suspicious Double Extension File Execution: add more suspicious extension combination

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:29:46 +02:00
Milad Cheraghi 4c8e709469 Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall 
new: Special File Creation via Mknod Syscall

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:27:24 +02:00
phantinuss 298e18c9c2 Merge PR #5467 from @phantinuss - use syscall names instead of ids 
the integration pipeline or the rule consumer has to take care of the mapping

update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
 2025-06-05 13:25:58 +02:00
Milad Cheraghi 0f4572c9ac Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key 
update: Webshell Remote Command Execution - add execveat and match on euid instead of key

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:22:24 +02:00
Milad Cheraghi 2fda33e611 Merge PR #5461 from @CheraghiMilad - add uname 
update: System Owner or User Discovery - Linux - add uname

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:20:16 +02:00
Milad Cheraghi 6509b21b82 Merge PR #5462 from @CheraghiMilad - add text output tools 
update: Local Groups Discovery - Linux - add text output tools

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:19:27 +02:00