b2acd80098
Merge PR #5483 from @norbert791 - Add AlphaSOC to the list of products that use or integrate sigma rules
...
chore: README.md - add 'AlphaSOC' to the 'Projects or Products that use or integrate Sigma rules'
2025-06-16 13:47:13 +02:00
002f3e5961
Merge PR #5485 from @gregorywychowaniec-zt - Update registry_set rules to add 64 bits Program Files directory in filters
...
fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
2025-06-16 13:42:00 +02:00
df556b9675
Merge PR #5480 from @phantinuss - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
2025-06-16 12:55:39 +02:00
8721fa654c
Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability
...
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-13 13:30:14 +02:00
a1c9827a35
Merge PR #5402 from @ariel-anieli - feat: add JSON output format for deprecated rule summary
...
chore: tests/deprecated_rules.py - add json output format
chore: add deprecated/deprecated.json
chore: update README and workflow job accordingly
---------
Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-13 10:59:34 +02:00
dfed136f16
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
...
chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
0d8580a55f
Merge PR #5434 from @unicornofhunt - Adding BITS DLL rule
...
new: BITS Client BitsProxy DLL Loaded By Uncommon Process
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-12 13:57:30 +02:00
cc747ed2e9
Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection
...
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
2025-06-12 12:51:36 +02:00
dbf8921652
chore: fix typo as suggested in #5472
2025-06-12 12:41:09 +02:00
dca02df740
Merge PR #5243 from @xlazarg - System Information Discovery via Registry Queries
...
new: System Information Discovery via Registry Queries
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-12 12:31:43 +02:00
d242edfd5e
Merge PR #5453 from @egycondor - DNS Query To Common Malware Hosting and Shortener Services
...
new: DNS Query To Common Malware Hosting and Shortener Services
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-06-12 12:31:03 +02:00
b7908efab9
Merge PR #5473 from @frack113 - chore: add ET and TH tags
...
chore: Add emerging-threats tags
chore: Add threat-hunting tags
2025-06-12 10:21:24 +02:00
d44c380d8c
Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added
...
update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:30:31 +02:00
73ce21b574
Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs
...
new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:28:24 +02:00
3183768be3
Merge PR #4901 from @frack113 - Regasm Without CommandLine
...
new: RegAsm.EXE Execution Without CommandLine Flags or Files
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-11 11:25:56 +02:00
12d68aca19
Merge PR #5148 from @MalGamy12 - Update Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
...
update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-06-11 11:25:56 +02:00
fd62c55e47
Merge PR #5221 from @dan21san - MSSQL Destructive Query
...
new: MSSQL Destructive Query
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-06-11 11:25:56 +02:00
8cfa4fbd1c
Merge PR #5225 from @swachchhanda000 - Lazagne rule update
...
update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:25:51 +02:00
d35b514a16
Merge PR #5412 from @swachchhanda000 - feat: add more susp registry modifications associated with feature change of windows internal tools
...
update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:25:45 +02:00
ff60fa5f91
Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall
...
new: System Info Discovery via Sysinfo Syscall
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:53:57 +02:00
3eb0198939
Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation
...
update: Suspicious Double Extension Files: add more suspicious extension combination
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
update: Suspicious Double Extension File Execution: add more suspicious extension combination
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:29:46 +02:00
4c8e709469
Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall
...
new: Special File Creation via Mknod Syscall
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:27:24 +02:00
298e18c9c2
Merge PR #5467 from @phantinuss - use syscall names instead of ids
...
the integration pipeline or the rule consumer has to take care of the mapping
update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
2025-06-05 13:25:58 +02:00
0f4572c9ac
Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key
...
update: Webshell Remote Command Execution - add execveat and match on euid instead of key
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:22:24 +02:00
2fda33e611
Merge PR #5461 from @CheraghiMilad - add uname
...
update: System Owner or User Discovery - Linux - add uname
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:20:16 +02:00
6509b21b82
Merge PR #5462 from @CheraghiMilad - add text output tools
...
update: Local Groups Discovery - Linux - add text output tools
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:19:27 +02:00
0627225cab
Merge PR #5463 from @CheraghiMilad - add more text output tools ( #5463 )
...
update: Access of Sudoers File Content - add more tools
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:19:04 +02:00
dc9a998874
Merge PR #5465 from @nasbench - Update File Decoded From Base64/Hex Via Certutil.EXE
...
update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to `high`
2025-06-04 18:11:03 +02:00
8b07b7b9a4
Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths
...
fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32\"
update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-06-04 17:44:31 +02:00
c2a5f405fe
Merge PR #5219 from @nikstuckenbrock - Update Potential PowerShell Obfuscation Via WCHAR/CHAR
...
update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add `CHAR` variation
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-04 17:39:06 +02:00
a38664c771
Merge PR #5443 from @phantinuss - Pin Sigma Validator package to minor version only
...
chore: Pin Sigma Validator package to minor version only
2025-06-04 14:58:58 +02:00
3eaaa050b7
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
...
chore: update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
8e4e286b0b
Merge PR #5436 from @vx3r - Obfuscated PowerShell MSI Install via WindowsInstaller COM
...
new: Obfuscated PowerShell MSI Install via WindowsInstaller COM
---------
Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com >
Co-authored-by: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com >
2025-06-04 13:50:39 +02:00
74fc1c74ec
Merge PR #5451 from @frack113 - chore: cleanup metadata
...
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
2025-06-04 13:33:36 +02:00
851982a953
Merge PR #5386 from @EzLucky - Cisco Modify Configuration - add "ntp server" keyword
...
update: Cisco Modify Configuration - add "ntp server" keyword
2025-06-04 12:13:46 +02:00
fd712c5a23
Merge PR #5447 from @nasbench - Update deprecated csv
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-02 13:30:06 +02:00
ec827cccb6
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-02 13:29:48 +02:00
f3948c7bdf
Merge PR #5449 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-02 13:29:26 +02:00
ad1bfd3d28
Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs
...
new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-31 14:24:43 +02:00
a5e070fc9d
Merge PR #5441 from @CheraghiMilad - chore: update reference
...
chore: Disable ASLR Via Personality Syscall - Linux - update reference for PoC
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-05-31 14:08:26 +02:00
3054ad5d18
Merge PR #5440 from @gregorywychowaniec-zt - Add filter for local machine whithout IP
...
fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
2025-05-31 13:14:46 +02:00
5a1e44c525
Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key
...
new: Potential Abuse of Linux Magic System Request Key
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-31 13:12:25 +02:00
9ebd94a00a
Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux
...
new: Disable ASLR Via Personality Syscall - Linux
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-28 13:29:58 +02:00
c96c031436
Merge PR #5407 from @joshnck - Suspicious Deno File Written from Remote Source
...
new: Suspicious Deno File Written from Remote Source
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-27 09:49:30 +02:00
7d493b41bb
Merge PR#5425 from @tsale - New Rule: Impacket File Indicators
...
new: HackTool - Impacket File Indicators
---------
Co-authored-by: Detections <Detections@thedfirreport.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-27 09:45:15 +02:00
e8fbc4966d
Merge PR #5428 from @egycondor - AS-REP Roasting via Kerberos TGT Request
...
new: Potential AS-REP Roasting via Kerberos TGT Requests
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-26 10:50:14 +02:00
585bd7d487
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
...
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-26 10:33:24 +02:00
5f894dfa0b
Merge PR #5431 from swachchhanda000 - chore: fix broken links
...
chore: fix broken links
2025-05-26 10:21:19 +02:00
304b019212
Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
...
Create Release / Create Release (push) Has been cancelled
update: Audio Capture - add ecasound detection
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-21 09:10:51 +02:00
de7a1387b5
Merge PR #5417 from @jasonmull - Create Detection for Crash Dump Created By Operating System
...
new: Crash Dump Created By Operating System
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-05-21 09:09:37 +02:00
norbert791