security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,535 Commits 1 Branch 57 Tags
c19e9cb2a4bd23c1bfbc85c398e6c7cbfd4eb016
Commit Graph

5060 Commits

Author SHA1 Message Date
github-actions[bot] e8fed8709c Merge PR #5572 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:05:46 +02:00
Koifman 73444cac35 Merge PR #5568 from @Koifman - Password Never Expires Set via WMI 
new: Password Never Expires Set via WMI
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-31 12:28:06 +02:00
Swachchhanda Shrawan Poudel 1e41c5378e Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules 
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:32:57 +02:00
Matt Anderson af492dc0f6 Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion 
new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
new: Windows Defender Context Menu Removed via Reg.exe
new: Disabling Windows Defender WMI Autologger Session via Reg.exe
new: Delete Defender Scan ShellEx Context Menu Registry Key
new: Windows Defender Default Threat Action Modified

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:25:23 +02:00
Swachchhanda Shrawan Poudel 80879020da Merge PR #5524 from @swachchhanda000 - add 7za to Renamed 7-Zip Execution 
update: Potential Defense Evasion Via Binary Rename - add 7za
 2025-07-16 13:34:33 +02:00
Swachchhanda Shrawan Poudel b7f52495c6 Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs 
fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
fix: COM Hijacking via TreatAs - Add filter for integrator.exe
fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
update: System File Execution Location Anomaly - add taskhostw

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:04:39 +02:00
Arnim Rupp 3f3b1540a0 Merge PR #5518 from @ruppde - new rule and updates for ADExplorer 
new: ADExplorer Writing Complete AD Snapshot Into .dat File
update: Active Directory Database Snapshot Via ADExplorer - add more selections
update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:02:18 +02:00
Rory dc017f694a Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task 
new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 11:14:40 +02:00
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Has been cancelled
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
Mohamed Ashraf fa9c495aa2 Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI 
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
 2025-07-07 12:19:55 +02:00
David Faiß 0e33642058 Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter 
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-03 11:57:48 +02:00
Swachchhanda Shrawan Poudel 2845e845ee Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS 
new: HackTool - Doppelanger LSASS Dumper Execution
new: HackTool - HollowReaper Execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-03 11:55:58 +02:00
Swachchhanda Shrawan Poudel 7a81b073e0 Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-07-03 09:40:29 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Alfie Champion 8d18ec7df0 Merge PR #5503 from @ajpc500 - include cmd.exe child process 
update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:21:27 +02:00
Mathieu c11a785973 Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers 
new: FileFix - Suspicious Child Process from Browser File Upload Abuse

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-27 12:40:44 +02:00
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
Swachchhanda Shrawan Poudel 6010717912 Merge PR #5488 from @swachchhanda000 - Trusted path bypass 
new: Trusted Path Bypass via Windows Directory Spoofing
update: TrustedPath UAC Bypass Pattern - update Image value
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 12:35:51 +02:00
norbert791 639a948bae Merge PR #5426 from @norbert791 - New rules: Remote Access Tool MeshAgent 
new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
chore: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
---------

Co-authored-by: Norbert Jaśniewicz <norbert.jasniewicz@alphasoc.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 11:19:53 +02:00
phantinuss dfed136f16 Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002 
chore: update MITRE tag t1219 to t1219.002
 2025-06-13 10:00:52 +02:00
Swachchhanda Shrawan Poudel cc747ed2e9 Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection 
new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
 2025-06-12 12:51:36 +02:00
lazarg dca02df740 Merge PR #5243 from @xlazarg - System Information Discovery via Registry Queries 
new: System Information Discovery via Registry Queries

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-12 12:31:43 +02:00
Swachchhanda Shrawan Poudel d44c380d8c Merge PR #5413 from @swachchhanda000 - feat: Mshta more susp extension added 
update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:30:31 +02:00
frack113 3183768be3 Merge PR #4901 from @frack113 - Regasm Without CommandLine 
new: RegAsm.EXE Execution Without CommandLine Flags or Files

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-11 11:25:56 +02:00
Gameel Ali 12d68aca19 Merge PR #5148 from @MalGamy12 - Update Suspicious Windows Defender Registry Key Tampering Via Reg.EXE 
update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-11 11:25:56 +02:00
Swachchhanda Shrawan Poudel 8cfa4fbd1c Merge PR #5225 from @swachchhanda000 - Lazagne rule update 
update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-11 11:25:51 +02:00
Swachchhanda Shrawan Poudel 3eb0198939 Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation 
update: Suspicious Double Extension Files: add more suspicious extension combination
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
update: Suspicious Double Extension File Execution: add more suspicious extension combination

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-05 13:29:46 +02:00
Nasreddine Bencherchali dc9a998874 Merge PR #5465 from @nasbench - Update File Decoded From Base64/Hex Via Certutil.EXE 
update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to `high`
 2025-06-04 18:11:03 +02:00
Swachchhanda Shrawan Poudel 8b07b7b9a4 Merge PR #5208 from @swachchhanda000 - Fix FPs and added coverage for ARM based windows dotnet paths 
fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32\"
update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-06-04 17:44:31 +02:00
Nik Stuckenbrock c2a5f405fe Merge PR #5219 from @nikstuckenbrock - Update Potential PowerShell Obfuscation Via WCHAR/CHAR 
update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add `CHAR` variation

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-04 17:39:06 +02:00
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
 2025-06-04 14:39:25 +02:00
vx3r 8e4e286b0b Merge PR #5436 from @vx3r - Obfuscated PowerShell MSI Install via WindowsInstaller COM 
new: Obfuscated PowerShell MSI Install via WindowsInstaller COM

---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
 2025-06-04 13:50:39 +02:00
frack113 74fc1c74ec Merge PR #5451 from @frack113 - chore: cleanup metadata 
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
 2025-06-04 13:33:36 +02:00
github-actions[bot] ec827cccb6 Merge PR #5448 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-02 13:29:48 +02:00
Swachchhanda Shrawan Poudel 585bd7d487 Merge PR #5429 from @swachchhanda000 - Katz stealer malware 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-26 10:33:24 +02:00
david-syk 6fe3ac8a02 Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:50 +02:00
david-syk efcfe43fae Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:09:23 +02:00
david-syk f255ba29e6 Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:08:57 +02:00
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
 2025-05-20 23:05:21 +02:00
Swachchhanda Shrawan Poudel 926c05e2cd Merge PR #5203 from @swachchhanda000 - Update AdFind rules 
new: PUA - AdFind.EXE Execution
update: Renamed AdFind Execution - Add additional Imphash values

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-05-20 23:03:13 +02:00
github-actions[bot] 350fec2f51 Merge PR #5397 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 22:58:46 +02:00
frack113 83b9ff50bc Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags 
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
 2025-05-15 12:17:10 +02:00
Swachchhanda Shrawan Poudel 906b392938 Merge PR #5196 from @swachchhanda000 - Updated and Added rules related to Autorun Registry 
new: Suspicious Autorun Registry Modified via WMI
update: Suspicious PowerShell Invocations - Specific - PowerShell Module
update: Suspicious PowerShell Invocations - Specific
update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
update: New RUN Key Pointing to Suspicious Folder
update: Suspicious Powershell In Registry Run Keys
update: Direct Autorun Keys Modification
update: Suspicious Run Key from Download

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-05-12 13:28:51 +02:00
david-syk b062d8ad65 Merge PR #5380 from @david-syk - Update MITRE ATT&CK tags 2nd batch 2025-04-25 21:01:12 +02:00
david-syk 95b6dd8573 Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags 
chore: update multiple mitre att&ck tags
 2025-04-25 20:55:51 +02:00
Kostas 07c285ca29 Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules 
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 21:42:17 +02:00
Swachchhanda Shrawan Poudel 5d050fb8a5 Merge PR #5228 from @swachchhanda000 - Update Eventlog clearing related rules 
update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-17 00:45:10 +02:00
Swachchhanda Shrawan Poudel ff4076fea1 Merge PR #5234 from @swachchhanda000 - Update Potential Product Class Reconnaissance Via Wmic.EXE 
update: Potential Product Class Reconnaissance Via Wmic.EXE - Add `AntiSpywareProduct` class
 2025-04-17 00:44:13 +02:00
Swachchhanda Shrawan Poudel 75a1ff3915 Merge PR #5239 from @swachchhanda000 - Update Potential Browser Data Stealing 
update: Potential Browser Data Stealing - add esentutl.exe

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:43:26 +02:00