security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,535 Commits 1 Branch 57 Tags
c19e9cb2a4bd23c1bfbc85c398e6c7cbfd4eb016
Commit Graph

243 Commits

Author SHA1 Message Date
phantinuss 39537caa0d Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern 
fix: Hidden Files and Directories - reduce FP matching with regex pattern
 2025-06-24 10:35:56 +02:00
Milad Cheraghi ff60fa5f91 Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall 
new: System Info Discovery via Sysinfo Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:53:57 +02:00
Milad Cheraghi 4c8e709469 Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall 
new: Special File Creation via Mknod Syscall

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:27:24 +02:00
phantinuss 298e18c9c2 Merge PR #5467 from @phantinuss - use syscall names instead of ids 
the integration pipeline or the rule consumer has to take care of the mapping

update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
 2025-06-05 13:25:58 +02:00
Milad Cheraghi 0f4572c9ac Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key 
update: Webshell Remote Command Execution - add execveat and match on euid instead of key

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-05 13:22:24 +02:00
Milad Cheraghi 2fda33e611 Merge PR #5461 from @CheraghiMilad - add uname 
update: System Owner or User Discovery - Linux - add uname

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:20:16 +02:00
Milad Cheraghi ad1bfd3d28 Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs 
new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 14:24:43 +02:00
Milad Cheraghi a5e070fc9d Merge PR #5441 from @CheraghiMilad - chore: update reference 
chore: Disable ASLR Via Personality Syscall - Linux - update reference for PoC

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-31 14:08:26 +02:00
Milad Cheraghi 5a1e44c525 Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key 
new: Potential Abuse of Linux Magic System Request Key
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-31 13:12:25 +02:00
Milad Cheraghi 9ebd94a00a Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux 
new: Disable ASLR Via Personality Syscall - Linux
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-05-28 13:29:58 +02:00
Milad Cheraghi 304b019212 Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
Create Release / Create Release (push) Has been cancelled
Details 
update: Audio Capture - add ecasound detection

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-21 09:10:51 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
Milad Cheraghi a719612ab8 Merge PR #5098 from @CheraghiMilad - Update Service Reload or Start - Linux 
update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:50:23 +01:00
Milad Cheraghi aac4335550 Merge PR #5102 from @CheraghiMilad - Update Password Policy Discovery - Linux 
update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:09:27 +01:00
Milad Cheraghi af41386535 Merge PR #5097 from @CheraghiMilad - Update System Owner or User Discovery - Linux 
update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 13:51:14 +01:00
Nasreddine Bencherchali b86a494f55 Merge PR #4993 from @nasbench - Fix Issues 
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
 2024-09-02 19:03:46 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Fukusuke Takahashi dbba992bc3 Merge PR #4960 from @fukusuket - Update unreachable/broken references 
chore: Unix Shell Configuration Modification - Update unreachable/broken references
chore: JNDIExploit Pattern - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references
chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references
chore: Potential Dead Drop Resolvers - Update unreachable/broken references
chore: HackTool - SecurityXploded Execution - Update unreachable/broken references
chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references
chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references
chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references
chore: PUA - AdvancedRun Execution - Update unreachable/broken references
chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references
chore: PUA - NSudo Execution - Update unreachable/broken references
chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references
chore: Suspect Svchost Activity - Update unreachable/broken references
chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references
chore: Turla PNG Dropper Service - Update unreachable/broken references
chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references
chore: .Class Extension URI Ending Request - Update unreachable/broken references
chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
 2024-08-10 12:52:28 +02:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Wagga 8bf3282194 Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields 
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-10-28 13:15:09 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Mladia a3f39d8fb6 Merge PR #4458 from @Mladia - Update Coverage 
update: Linux Network Service Scanning - Auditd - Update coverage to add `ncat` and `nc.openbsd`

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-27 10:27:45 +02:00
Nasreddine Bencherchali b34f098b0d Update lnx_auditd_masquerading_crond.yml 2023-08-22 18:36:03 +02:00
Mladia 25d7fb85d4 Update lnx_auditd_masquerading_crond.yml 
Adapting the rule so it corresponds to the linked atomic red scenario.
 2023-08-01 12:35:34 +02:00
Nasreddine Bencherchali 8dca7aa1ba feat: more updates 2023-07-28 14:32:57 +02:00
Nasreddine Bencherchali d7f1e8c443 Update lnx_auditd_binary_padding.yml 2023-05-03 01:09:55 +02:00
fukusuket 78fe42f78c refactor: use '|all' instead of using all of for a single selector. 2023-04-30 21:49:32 +09:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
iai-rsa 66f3c54b89 feat: new linux rules #4095) 
- Updated lnx_auditd_system_info_discovery.yml
- Added lnx_auditd_modify_system_firewall.yml
- Depracted lnx_auditd_alter_bash_profile.yml and replaced by an enhanced version in lnx_auditd_unix_shell_configuration_modification.yml
 2023-03-27 13:17:54 +02:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
Nasreddine Bencherchali 15757c2b7d fix: remove tactic links 2023-01-10 19:20:31 +01:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
Nasreddine Bencherchali 7e73028c5e feat: updates and enhancements 2023-01-06 16:35:34 +01:00
signalblur 73f56c2f0e Hidden Linux Binary Execution (#3108) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-31 08:27:32 +01:00
Nasreddine Bencherchali 85aa0220d0 Merge pull request #3819 from blueteam0ps/master 
lnx_auditd_debugfs_usage.yml
 2022-12-27 16:57:22 +01:00
Nasreddine Bencherchali 0d2ddb4a9b fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00
Nasreddine Bencherchali 256d6a839e fix: update condition 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2022-12-27 16:13:56 +01:00
Nasreddine Bencherchali 281dc11fc5 fix: remove correlation 2022-12-27 15:31:51 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
BlueTeamOps 1d8256fa69 Update lnx_auditd_debugfs_usage.yml 2022-12-25 09:47:19 +11:00
BlueTeamOps 81d8d1a5a7 replaced timeframe with timespan 2022-12-25 08:10:03 +11:00
BlueTeamOps 976d994cee Updated to include additional tools 
Expanded the list of Linux tools that may be used to obtain volume meta info and also included the auditd.
Removed specific switches for tools as those tools and debugfs exec within that time period will be rare.
 2022-12-25 07:57:18 +11:00
BlueTeamOps de84fbcd62 lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00
Nasreddine Bencherchali 57e51cca2a fix: typo in near operator 2022-12-22 16:08:21 +01:00