security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

18 Commits

Author SHA1 Message Date
phantinuss e58ebd048f chore: sort each block 2025-05-05 10:17:12 +02:00
phantinuss 9aeb2bab8a chore: whitelist new test issues 
the rules are all valid and have a sound detection logic
 2025-05-05 10:17:02 +02:00
phantinuss f47604b735 chore: update pySigma validators 2025-04-30 11:31:22 +02:00
Kostas 2851ef5d16 Merge PR #4961 from @tsale - Add multiples rules and updates 
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 19:21:47 +02:00
Nasreddine Bencherchali c2915a678b Merge PR #4912 from @nasbench - update pySigma-validators-sigmahq to version 0.7.0 and sigma_cli_conf.yml 
chore: update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-07-11 11:24:01 +02:00
dr0pd34d 5f9d70c0ef Merge PR #4910 from @dr0pd34d - Add Microsoft Word Add-In Loaded 
new: Microsoft Word Add-In Loaded 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-07-11 02:31:31 +02:00
Nasreddine Bencherchali 9c59a06874 Merge PR #4911 from @nas_bench - Update sigma_cli_conf.yml 
chore: update `sigma_cli_conf.yml`
 2024-07-11 00:16:05 +02:00
frack113 2cfa9a2d1f Merge PR #4847 from @frack113 - Update test Workflow to use pySigma-validators-sigmahq 
chore: update workflow to use "pySigma-validators-sigmahq"
 2024-05-10 10:32:54 +02:00
frack113 48baf1187b Merge PR #4752 from @frack113 - Update rules to use the windash modifier 
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-11 12:01:30 +01:00
Nasreddine Bencherchali 8af1ab8cac Merge PR #4738 from @nasbench - Small fixes and metadata updates 
new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
remove: CobaltStrike Malformed UAs in Malleable Profiles
remove: CobaltStrike Malleable (OCSP) Profile
remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
remove: iOS Implant URL Pattern
update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
 2024-02-26 22:01:53 +01:00
Mohamed Ashraf 3fb5392490 Merge PR #4675 from @X-Junior - New Emerging Threat Rules For Peach Sandstorm APT
Create Release / Create Release (push) Has been cancelled
Details 
new: Peach Sandstorm APT Process Activity Indicators
new: Potential Peach Sandstorm APT C2 Communication Activity 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-15 16:01:07 +01:00
Stephen Lincoln 267de25efb Merge PR #4633 from @slincoln-aiq - New Rules Related To Desktop Background Change 
new: Potentially Suspicious Desktop Background Change Using Reg.EXE
new: Potentially Suspicious Desktop Background Change Via Registry 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-12-21 11:44:52 +01:00
frack113 3990060d02 Merge PR #4609 from @frack113 - Add More PySigma Validators 
chore: Add more pySigma Validator
 2023-12-01 15:11:24 +01:00
frack113 56ac238027 Merge PR #4591 from @frack113 - Update tests to pySigma 0.10.9 
chore: update tests to pySigma 0.10.9
chore: add Summiting the Pyramid v1.0.0 tags

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-27 09:08:01 +01:00
frack113 2d63859aed Merge PR #4574 from @frack113 - ci: 🤖 add new sigma-cli 0.7.10 validators 
chore: Add new validators from sigma-cli 0.7.10 and remove obsolete tests in test_rules.py

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-17 16:46:50 +01:00
frack113 d577872761 Merge PR #4551 from @frack113 - chore: move more tests to pySigma 
chore: Add attacktag and tlptag to pySigma tests
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-11-15 16:40:33 +01:00
frack113 f6eca9a262 Merge PR #4541 from @frack113 - Update SIGMA tests 
chore: remove duplicate tests that already covered by pysigma validation
 2023-11-06 13:06:55 +01:00
frack113 271f972468 Merge PR #4538 from @frack113 - Add Sigma CLI Configuration File 
chore: add sigma-cli configuration file
fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-03 16:59:53 +01:00