security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,535 Commits 1 Branch 57 Tags
c19e9cb2a4bd23c1bfbc85c398e6c7cbfd4eb016
Commit Graph

1705 Commits

Author SHA1 Message Date
github-actions[bot] e8fed8709c Merge PR #5572 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:05:46 +02:00
Swachchhanda Shrawan Poudel b7f52495c6 Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs 
fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
fix: COM Hijacking via TreatAs - Add filter for integrator.exe
fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
update: System File Execution Location Anomaly - add taskhostw

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:04:39 +02:00
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Has been cancelled
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
GrepItAll f8b17bff8c Merge PR #5512 from @GrepItAll - fix: use the correct PreAuthType selection field name 
fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-07 10:25:39 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Swachchhanda Shrawan Poudel db77b97a25 Merge PR #5222 from @swachchhanda000 - fix FPs in rules related to remote thread creation 
fix: Uncommon AppX Package Locations - add a new filter to reduce noise
fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-23 11:43:43 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
dan21san fd62c55e47 Merge PR #5221 from @dan21san - MSSQL Destructive Query 
new: MSSQL Destructive Query
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
Grégory Wychowaniec 3054ad5d18 Merge PR #5440 from @gregorywychowaniec-zt - Add filter for local machine whithout IP 
fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
 2025-05-31 13:14:46 +02:00
egycondor e8fbc4966d Merge PR #5428 from @egycondor - AS-REP Roasting via Kerberos TGT Request 
new: Potential AS-REP Roasting via Kerberos TGT Requests
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:50:14 +02:00
Jason Mull de7a1387b5 Merge PR #5417 from @jasonmull - Create Detection for Crash Dump Created By Operating System 
new: Crash Dump Created By Operating System

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-05-21 09:09:37 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:05:21 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
 2025-05-15 12:17:10 +02:00
github-actions[bot] 29ad6f9617 Merge PR #5249 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:35 +02:00
Swachchhanda Shrawan Poudel f784916130 Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules 
update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the `AnyDesk MSI` Service
update: Suspicious Binary Writes Via AnyDesk - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Incoming Connection - Add `AnyDeskMSI.exe`
update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Execution - Add `AnyDeskMSI.exe`
 2025-03-05 00:19:19 +01:00
GtUGtHGtNDtEUaE da7a8305f1 Merge PR #5176 from @GtUGtHGtNDtEUaE - Update rules covering EventID 4660 
remove: Windows Defender Exclusion Deleted
fix: WCE wceaux.dll Access - Remove EventIDs `4658` and `4660` as they both do not contain the `ObjectName` field
 2025-01-31 18:08:59 +01:00
Djordje Lukic 92989a4f74 Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 
fix: Failed Code Integrity Checks - Add filters for `CrowdStrike`.
fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:15:39 +01:00
github-actions[bot] 8734022722 Merge PR #5149 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-01-06 15:36:19 +01:00
Djordje Lukic 1df3c34391 Merge PR #5144 from @djlukic - Fix multiple FPs 
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches.
fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/`
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/`
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
 2024-12-27 16:38:02 +01:00
Koifman 3449958dbf Merge PR #5041 from @Koifman - Update tags for Register new Logon Process by Rubeus 
chore: update tags for `Register new Logon Process by Rubeus`
 2024-12-19 18:41:14 +01:00
Phill Moore a290d22143 Merge PR #5125 from @randomaccess3 - Update Potential Secure Deletion with SDelete 
update: Potential Secure Deletion with SDelete - Enhance metadata

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 21:55:43 +02:00
Florian Roth ee821b8e99 Merge PR #5110 from @Neo23x0 - Update Remote Access Tool Services Have Been Installed - Security 
update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
 2024-12-07 15:47:45 +01:00
github-actions[bot] 9367349016 Merge PR #5101 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-12-01 13:40:32 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Djordje Lukic f33530e756 Merge PR #4994 from @djlukic - Multiple FP fixes 
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------
 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 23:08:50 +02:00
frack113 c70fff4b8b Merge PR #4935 from @frack113 - Add new IIS logsource and related rules 
chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml
new: ETW Logging/Processing Option Disabled On IIS Server
new: HTTP Logging Disabled On IIS Server
new: New Module Module Added To IIS Server
new: Previously Installed IIS Module Was Removed 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 22:44:05 +02:00
github-actions[bot] 08c52c367c Merge PR #5027 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:56:09 +02:00
Alexander J 9db7e07223 Merge PR #5022 from @jaegeral - Fix some typos in rules metadata 
chore: fix some typos in the title and description of some rules
 2024-09-22 19:14:26 +02:00
Fukusuke Takahashi 132482818e Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references 
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379  - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
 2024-09-13 11:14:11 +02:00
Josh 8288d4be9f Merge PR #5001 from @joshnck - Add Startup/Logon Script Added to Group Policy Object 
new: Startup/Logon Script Added to Group Policy Object 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:41:18 +02:00
Josh ad84d82baf Merge PR #5000 from @joshnck - Update Persistence and Execution at Scale via GPO Scheduled Task 
update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:40:46 +02:00
Josh 06b116608e Merge PR #4999 from @joshnck - Add Group Policy Abuse for Privilege Addition 
new: Group Policy Abuse for Privilege Addition 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:40:04 +02:00
Nasreddine Bencherchali b86a494f55 Merge PR #4993 from @nasbench - Fix Issues 
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
 2024-09-02 19:03:46 +02:00
github-actions[bot] 839f5636f5 Merge PR #4991 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:36 +02:00
Djordje Lukic 509120a735 Merge PR #4986 from @djlukic - Multiple FP fixes 
fix: A Rule Has Been Deleted From The Windows Firewall Exception List - Exclude WinSxS
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Exclude "amsiprovider_x64"
fix: Uncommon AppX Package Locations - Exclude additional MS cdn domain
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Enhance filters and exclude empty path  
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 20:41:50 +02:00
Kostas 2851ef5d16 Merge PR #4961 from @tsale - Add multiples rules and updates 
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 19:21:47 +02:00
Nasreddine Bencherchali 4cd51a3dd5 Merge PR #4937 from @nasbench - Multiple updates and fixes 
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases
fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs
fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions
fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe
fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files
fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS"
update: Cab File Extraction Via Wusa.EXE - Move to TH folder
update: COM Object Execution via Xwizard.EXE - Update logic
update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
 2024-08-29 14:43:32 +02:00
secDre4mer 5550ccd280 Merge PR #4985 from @secDre4mer - Update Potential Active Directory Reconnaissance/Enumeration Via LDAP 
update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
 2024-08-27 13:36:15 +02:00
Omar A. 29dce312bc Merge PR #4947 from @omaramin17 - Add DNS Query To Put.io - DNS Client 
new: DNS Query To Put.io - DNS Client 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 12:08:08 +02:00
Omar A. 9b3c363cd0 Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains 
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 11:16:06 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Fukusuke Takahashi 8ff9cd8d20 Merge PR #4958 from @fukusuket - Update unreachable/broken references 
chore: Credential Dumping Tools Accessing LSASS Memory
chore: Potential MFA Bypass Using Legacy Client Authentication
chore: Possible DC Shadow Attack
chore: Potential Privileged System Service Operation - SeLoadDriverPrivilege
chore: Remote Thread Creation In Uncommon Target Image
chore: RDP File Creation From Suspicious Application
chore: Suspicious PROCEXP152.sys File Created In TMP
chore: Outbound Network Connection Initiated By Microsoft Dialer
chore: NTFS Alternate Data Stream
chore: PowerShell Get-Process LSASS in ScriptBlock
chore: Windows Firewall Profile Disabled
chore: Potentially Suspicious GrantedAccess Flags On LSASS
chore: HackTool - PCHunter Execution
chore: Mstsc.EXE Execution With Local RDP File
chore: Suspicious Mstsc.EXE Execution With Local RDP File
chore: Mstsc.EXE Execution From Uncommon Parent
chore: PowerShell Get-Process LSASS
chore: LSASS Access From Program In Potentially Suspicious Folder
chore: Uncommon GrantedAccess Flags On LSASS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @fukusuket
 2024-08-10 01:23:58 +02:00