security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,490 Commits 1 Branch 57 Tags
b12a3fcbd697c4a03bd8576da67935d260ff845a
Commit Graph

12776 Commits

Author SHA1 Message Date
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00
Swachchhanda Shrawan Poudel 6010717912 Merge PR #5488 from @swachchhanda000 - Trusted path bypass 
new: Trusted Path Bypass via Windows Directory Spoofing
update: TrustedPath UAC Bypass Pattern - update Image value
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 12:35:51 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
phantinuss 39537caa0d Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern 
fix: Hidden Files and Directories - reduce FP matching with regex pattern
 2025-06-24 10:35:56 +02:00
Swachchhanda Shrawan Poudel db77b97a25 Merge PR #5222 from @swachchhanda000 - fix FPs in rules related to remote thread creation 
fix: Uncommon AppX Package Locations - add a new filter to reduce noise
fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-23 11:43:43 +02:00
Grégory Wychowaniec 002f3e5961 Merge PR #5485 from @gregorywychowaniec-zt - Update registry_set rules to add 64 bits Program Files directory in filters 
fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
 2025-06-16 13:42:00 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Swachchhanda Shrawan Poudel cc747ed2e9 Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection 
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
 2025-06-12 12:51:36 +02:00
lazarg dca02df740 Merge PR #5243 from @xlazarg - System Information Discovery via Registry Queries 
new: System Information Discovery via Registry Queries

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-12 12:31:43 +02:00
egycondor d242edfd5e Merge PR #5453 from @egycondor - DNS Query To Common Malware Hosting and Shortener Services 
new: DNS Query To Common Malware Hosting and Shortener Services
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-06-12 12:31:03 +02:00
Swachchhanda Shrawan Poudel d44c380d8c Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added 
update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:30:31 +02:00
frack113 3183768be3 Merge PR #4901 from @frack113 - Regasm Without CommandLine 
new: RegAsm.EXE Execution Without CommandLine Flags or Files

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-11 11:25:56 +02:00
Gameel Ali 12d68aca19 Merge PR #5148 from @MalGamy12 - Update Suspicious Windows Defender Registry Key Tampering Via Reg.EXE 
update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
dan21san fd62c55e47 Merge PR #5221 from @dan21san - MSSQL Destructive Query 
new: MSSQL Destructive Query
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
Swachchhanda Shrawan Poudel 8cfa4fbd1c Merge PR #5225 from @swachchhanda000 - Lazagne rule update 
update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:25:51 +02:00
Swachchhanda Shrawan Poudel d35b514a16 Merge PR #5412 from @swachchhanda000 - feat: add more susp registry modifications associated with feature change of windows internal tools 
update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:25:45 +02:00
Milad Cheraghi ff60fa5f91 Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall 
new: System Info Discovery via Sysinfo Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:53:57 +02:00
Swachchhanda Shrawan Poudel 3eb0198939 Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation 
update: Suspicious Double Extension Files: add more suspicious extension combination
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
update: Suspicious Double Extension File Execution: add more suspicious extension combination

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:29:46 +02:00
Milad Cheraghi 4c8e709469 Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall 
new: Special File Creation via Mknod Syscall

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:27:24 +02:00
phantinuss 298e18c9c2 Merge PR #5467 from @phantinuss - use syscall names instead of ids 
the integration pipeline or the rule consumer has to take care of the mapping

update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
 2025-06-05 13:25:58 +02:00
Milad Cheraghi 0f4572c9ac Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key 
update: Webshell Remote Command Execution - add execveat and match on euid instead of key

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:22:24 +02:00
Milad Cheraghi 2fda33e611 Merge PR #5461 from @CheraghiMilad - add uname 
update: System Owner or User Discovery - Linux - add uname

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:20:16 +02:00
Milad Cheraghi 6509b21b82 Merge PR #5462 from @CheraghiMilad - add text output tools 
update: Local Groups Discovery - Linux - add text output tools

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:19:27 +02:00
Milad Cheraghi 0627225cab Merge PR #5463 from @CheraghiMilad - add more text output tools (#5463) 
update: Access of Sudoers File Content - add more tools

---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:19:04 +02:00
Nasreddine Bencherchali dc9a998874 Merge PR #5465 from @nasbench - Update File Decoded From Base64/Hex Via Certutil.EXE 
update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to `high`
 2025-06-04 18:11:03 +02:00
Swachchhanda Shrawan Poudel 8b07b7b9a4 Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths 
fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32\"
update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-04 17:44:31 +02:00
Nik Stuckenbrock c2a5f405fe Merge PR #5219 from @nikstuckenbrock - Update Potential PowerShell Obfuscation Via WCHAR/CHAR 
update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add `CHAR` variation

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-04 17:39:06 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
vx3r 8e4e286b0b Merge PR #5436 from @vx3r - Obfuscated PowerShell MSI Install via WindowsInstaller COM 
new: Obfuscated PowerShell MSI Install via WindowsInstaller COM

---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
 2025-06-04 13:50:39 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
EzLucky 851982a953 Merge PR #5386 from @EzLucky - Cisco Modify Configuration - add "ntp server" keyword 
update: Cisco Modify Configuration - add "ntp server" keyword
 2025-06-04 12:13:46 +02:00
github-actions[bot] ec827cccb6 Merge PR #5448 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-02 13:29:48 +02:00
Milad Cheraghi ad1bfd3d28 Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs 
new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 14:24:43 +02:00
Milad Cheraghi a5e070fc9d Merge PR #5441 from @CheraghiMilad - chore: update reference 
chore: Disable ASLR Via Personality Syscall - Linux - update reference for PoC

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-31 14:08:26 +02:00
Grégory Wychowaniec 3054ad5d18 Merge PR #5440 from @gregorywychowaniec-zt - Add filter for local machine whithout IP 
fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
 2025-05-31 13:14:46 +02:00
Milad Cheraghi 5a1e44c525 Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key 
new: Potential Abuse of Linux Magic System Request Key
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 13:12:25 +02:00
Milad Cheraghi 9ebd94a00a Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux 
new: Disable ASLR Via Personality Syscall - Linux
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-28 13:29:58 +02:00
Josh c96c031436 Merge PR #5407 from @joshnck - Suspicious Deno File Written from Remote Source 
new: Suspicious Deno File Written from Remote Source

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-27 09:49:30 +02:00
Kostas 7d493b41bb Merge PR#5425 from @tsale - New Rule: Impacket File Indicators 
new: HackTool - Impacket File Indicators

---------

Co-authored-by: Detections <Detections@thedfirreport.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-27 09:45:15 +02:00
egycondor e8fbc4966d Merge PR #5428 from @egycondor - AS-REP Roasting via Kerberos TGT Request 
new: Potential AS-REP Roasting via Kerberos TGT Requests
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:50:14 +02:00
Swachchhanda Shrawan Poudel 585bd7d487 Merge PR #5429 from @swachchhanda000 - Katz stealer malware 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:33:24 +02:00
Milad Cheraghi 304b019212 Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
Create Release / Create Release (push) Has been cancelled
Details 
update: Audio Capture - add ecasound detection

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-21 09:10:51 +02:00
Jason Mull de7a1387b5 Merge PR #5417 from @jasonmull - Create Detection for Crash Dump Created By Operating System 
new: Crash Dump Created By Operating System

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-05-21 09:09:37 +02:00
Koifman b0481bea13 Merge PR #5393 from @Koifman - Update VMware rules for MITREv17 
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17

---------

Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-21 08:39:49 +02:00
phantinuss 6896d69d3e Merge PR #5424 from @phantinuss - Some housekeeping 
chore: deprecate rule in favour of c1337eb8-921a-4b59-855b-4ba188ddcc42
chore: update the ref of some rules

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-20 23:12:55 +02:00
Gameel Ali 2076f5cfd6 Merge PR #5405 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
 2025-05-20 23:11:14 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00