security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,535 Commits 1 Branch 57 Tags
c19e9cb2a4bd23c1bfbc85c398e6c7cbfd4eb016
Commit Graph

12812 Commits

Author SHA1 Message Date
github-actions[bot] e8fed8709c Merge PR #5572 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:05:46 +02:00
Mohamed Ashraf c48c992f70 Update registry_set_disable_windows_event_log_access.yml 2025-08-06 11:20:57 +03:00
Mohamed Ashraf (X__Junior) 5d17770949 Update registry_set_disable_windows_event_log_access.yml 2025-08-06 10:48:53 +03:00
Koifman 73444cac35 Merge PR #5568 from @Koifman - Password Never Expires Set via WMI 
new: Password Never Expires Set via WMI
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-31 12:28:06 +02:00
Liran Ravich 4965c257d1 Merge PR #5559 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Mega.nz - MITRE tag
 2025-07-30 14:30:55 +02:00
Liran Ravich 578ae3026f Merge PR #5558 from @Liran017 - update MITRE tag 
update: Suspicious Dropbox API Usage - MITRE tags
 2025-07-30 14:30:04 +02:00
Liran Ravich bf633a8ea6 Merge PR #5561 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Visual Studio Code Tunnels Domain - MITRE tags
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-30 13:17:17 +02:00
Liran Ravich 6fb5b3f932 Merge PR #5562 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To BTunnels Domains - MITRE tags
 2025-07-30 13:11:29 +02:00
Liran Ravich f354697969 Merge PR #5563 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Cloudflared Tunnels Domains - MITRE tags
 2025-07-30 13:08:43 +02:00
Liran Ravich bf0431724c Merge PR #5565 from @Liran017 - title fix and update MITRE tag 
fix: Process Initiated Network Connection To Ngrok Domain - fix title and update MITRE tags
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-30 13:06:56 +02:00
Liran Ravich d1cc2814da Merge PR #5564 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To DevTunnels Domain - MITRE tags
 2025-07-30 13:05:31 +02:00
Liran Ravich 141304527f Merge PR #5566 from @Liran017 - update MITRE tag 
update: Suspicious Non-Browser Network Communication With Telegram API - MITRE tag
 2025-07-30 12:59:41 +02:00
Swachchhanda Shrawan Poudel f54972108f Merge PR #5538 from @swachchhanda000 - feat: potential spear-phishing through svg files 
new: Suspicious File Created in Outlook Temporary Directory
remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
update: Suspicious Double Extension Files - add .svg extension
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-07-29 10:30:55 +02:00
Swachchhanda Shrawan Poudel 7a6c451d6d Merge PR #5543 from @ swachchhanda000 - update toolshell related rules 
update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
new: Suspicious File Write to SharePoint Layouts Directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 14:22:06 +02:00
Swachchhanda Shrawan Poudel 1e41c5378e Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules 
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:32:57 +02:00
Matt Anderson af492dc0f6 Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion 
new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
new: Windows Defender Context Menu Removed via Reg.exe
new: Disabling Windows Defender WMI Autologger Session via Reg.exe
new: Delete Defender Scan ShellEx Context Menu Registry Key
new: Windows Defender Default Threat Action Modified

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:25:23 +02:00
peterydzynski c7998c92b3 Merge PR #5530 from @peterydzynski - fix: use correct dash type and add spaces 
fix: Added Credentials to Existing Application - fix filter dash type, capitalization and spaces to match Azure log format

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-07-18 10:51:11 +02:00
Renan LAVAREC 06086ea91e Merge PR #5521 from @Ti-R - also filter SignatureStatus 'valid' 
update: Unsigned DLL Loaded by Windows Utility - also filter SignatureStatus 'valid'

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-07-16 13:44:42 +02:00
Swachchhanda Shrawan Poudel 80879020da Merge PR #5524 from @swachchhanda000 - add 7za to Renamed 7-Zip Execution 
update: Potential Defense Evasion Via Binary Rename - add 7za
 2025-07-16 13:34:33 +02:00
Swachchhanda Shrawan Poudel b7f52495c6 Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs 
fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
fix: COM Hijacking via TreatAs - Add filter for integrator.exe
fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
update: System File Execution Location Anomaly - add taskhostw

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:04:39 +02:00
Arnim Rupp 3f3b1540a0 Merge PR #5518 from @ruppde - new rule and updates for ADExplorer 
new: ADExplorer Writing Complete AD Snapshot Into .dat File
update: Active Directory Database Snapshot Via ADExplorer - add more selections
update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:02:18 +02:00
Rory dc017f694a Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task 
new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 11:14:40 +02:00
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Has been cancelled
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
Alfie Champion 75d03ebfb9 Merge PR #5514 from @ajpc500 - Add Filefix TypedPaths Registry rule 
new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-08 10:09:51 +02:00
Mohamed Ashraf fa9c495aa2 Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI 
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
 2025-07-07 12:19:55 +02:00
GrepItAll f8b17bff8c Merge PR #5512 from @GrepItAll - fix: use the correct PreAuthType selection field name 
fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-07 10:25:39 +02:00
Grégory Wychowaniec 0597250ee1 Merge PR #5511 from @gregorywychowaniec-zt - add null condition in addition to empty string 
update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-03 11:58:57 +02:00
David Faiß 0e33642058 Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter 
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-03 11:57:48 +02:00
Swachchhanda Shrawan Poudel 2845e845ee Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS 
new: HackTool - Doppelanger LSASS Dumper Execution
new: HackTool - HollowReaper Execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-03 11:55:58 +02:00
Swachchhanda Shrawan Poudel 7a81b073e0 Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-07-03 09:40:29 +02:00
Mohamed Ashraf e597e13d6c Merge PR #5508 by @X-Junior - add CLSIDs to COM Object Hijacking 
update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - add CLSIDs
 2025-07-01 11:47:23 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Alfie Champion 8d18ec7df0 Merge PR #5503 from @ajpc500 - include cmd.exe child process 
update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:21:27 +02:00
Mathieu c11a785973 Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers 
new: FileFix - Suspicious Child Process from Browser File Upload Abuse

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-27 12:40:44 +02:00
hashdr1ft 8fd6a5167d Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget 
new: Suspicious Download and Execute Pattern via Curl/Wget

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 12:48:57 +02:00
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00
Swachchhanda Shrawan Poudel 6010717912 Merge PR #5488 from @swachchhanda000 - Trusted path bypass 
new: Trusted Path Bypass via Windows Directory Spoofing
update: TrustedPath UAC Bypass Pattern - update Image value
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 12:35:51 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
phantinuss 39537caa0d Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern 
fix: Hidden Files and Directories - reduce FP matching with regex pattern
 2025-06-24 10:35:56 +02:00
Swachchhanda Shrawan Poudel db77b97a25 Merge PR #5222 from @swachchhanda000 - fix FPs in rules related to remote thread creation 
fix: Uncommon AppX Package Locations - add a new filter to reduce noise
fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-23 11:43:43 +02:00
Grégory Wychowaniec 002f3e5961 Merge PR #5485 from @gregorywychowaniec-zt - Update registry_set rules to add 64 bits Program Files directory in filters 
fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
 2025-06-16 13:42:00 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Swachchhanda Shrawan Poudel cc747ed2e9 Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection 
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
 2025-06-12 12:51:36 +02:00
lazarg dca02df740 Merge PR #5243 from @xlazarg - System Information Discovery via Registry Queries 
new: System Information Discovery via Registry Queries

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-12 12:31:43 +02:00
egycondor d242edfd5e Merge PR #5453 from @egycondor - DNS Query To Common Malware Hosting and Shortener Services 
new: DNS Query To Common Malware Hosting and Shortener Services
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-06-12 12:31:03 +02:00
Swachchhanda Shrawan Poudel d44c380d8c Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added 
update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:30:31 +02:00
frack113 3183768be3 Merge PR #4901 from @frack113 - Regasm Without CommandLine 
new: RegAsm.EXE Execution Without CommandLine Flags or Files

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-11 11:25:56 +02:00
Gameel Ali 12d68aca19 Merge PR #5148 from @MalGamy12 - Update Suspicious Windows Defender Registry Key Tampering Via Reg.EXE 
update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00