security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,774 Commits 1 Branch 57 Tags
c713b5d8053b142a908a5933dc11492d9a0a8476
Commit Graph

16774 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marius Benthin c713b5d805 Merge PR #5780 from @marius-benthin - Update New Cron File Created 
update: New Cron File Created - Enhance coverage and update metadata

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:53:12 +02:00
uniqueuser f0c4235fcb Merge PR #5916 from @uniqu3-us3r - Add Kubernetes Potential Enumeration Activity 
new: Kubernetes Potential Enumeration Activity

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:43:10 +02:00
Marco Pedrinazzi 96c0fa6176 Merge PR #5846 from @marcopedrinazzi - Add Suspicious Email Delivered In Microsoft 365 
new: Suspicious Email Delivered In Microsoft 365

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-04-28 00:33:23 +02:00
Zirbo 8315489a07 Merge PR #5828 from @Zirbo - Update Shell Invocation via Env Command - Linux 
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-28 00:31:41 +02:00
Sanskar Phougat 570200b711 Merge PR #5952 from @Sanskar-bot - Update PowerShell Download Via Net.WebClient - PowerShell Classic 
update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:30:25 +02:00
Sanskar Phougat 81dce222fd Merge PR #5953 from @Sanskar-bot - Update MITRE Tags for Netcat The Powershell Version 
chore: update mitre tags for `Netcat The Powershell Version`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:29:22 +02:00
Swachchhanda Shrawan Poudel cd26c0a799 Merge PR #5815 from @swachchhanda000 - Update and Add Autologger related rules 
new: Windows EventLog Autologger Session Registry Modification Via CommandLine
update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:17:40 +02:00
Swachchhanda Shrawan Poudel ca8e778476 Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data 
update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-28 00:10:09 +02:00
Swachchhanda Shrawan Poudel 3a0fbc4bfa Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading 
new: Potential Vcruntime140 DLL Sideloading
 2026-04-27 23:55:25 +02:00
Swachchhanda Shrawan Poudel 180991bc81 Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules 
new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:43:22 +02:00
Swachchhanda Shrawan Poudel 1a51d53e9f Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS 
new: PUA - Memory Dump Mount Via MemProcFS

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:30:50 +02:00
Swachchhanda Shrawan Poudel ff107c3fe1 Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand 
new: Indirect Command Execution via SFTP ProxyCommand

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-27 22:26:12 +02:00
Mostafa Moradian f627ff2270 Merge PR #5964 from @mostafa - Update Okta Rules to use CamelCase fields 
update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
update: Okta Admin Role Assignment Created - Update field name to use CamleCase
update: Okta API Token Created - Update field name to use CamleCase
update: Okta API Token Revoked - Update field name to use CamleCase
update: Okta Application Modified or Deleted - Update field name to use CamleCase
update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
update: Okta FastPass Phishing Detection - Update field name to use CamleCase
update: Okta Identity Provider Created - Update field name to use CamleCase
update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
update: Okta New Admin Console Behaviours - Update field name to use CamleCase
update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
update: Okta Policy Modified or Deleted - Update field name to use CamleCase
update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
update: Okta Security Threat Detected - Update field name to use CamleCase
update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
update: Okta Unauthorized Access to App - Update field name to use CamleCase
update: Okta User Account Locked Out - Update field name to use CamleCase
update: New Okta User Created - Update field name to use CamleCase
update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
 2026-04-27 21:55:40 +02:00
Swachchhanda Shrawan Poudel cf9759946f Merge PR #5399 from @swachchhanda000 - Update LSA PPL Protection Setting Modification via CommandLine 
update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-24 19:48:55 +02:00
Thomas Patzke 5655f590d7 Added VSCode config to .gitignore 2026-04-24 09:00:48 +02:00
Chirag 03412947a2 Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution 
new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-23 15:02:24 +02:00
HueCodes c801be9f3d Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution 
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux

---------

Co-authored-by: Hugh <HueCodes@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-23 14:37:28 +02:00
Swachchhanda Shrawan Poudel fc1cf467f4 Merge PR #5905 from @swachchhanda000 - fix: notepad++ gup infrastructure abuse FPs 
fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
 2026-04-21 12:33:55 +02:00
Marco Pedrinazzi c58ee2f7f8 Merge PR #5938 from @marcopedrinazzi - Fix file extension from .yaml to .yml for consistency 
chore: changed extension from yaml to yml for certain files
 
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-20 14:44:21 +02:00
Swachchhanda Shrawan Poudel 889b07d952 Merge PR #5943 from @swachchhanda000 - Add regression test count mismatch finder 
chore: regression test count mismatch finder
 2026-04-20 14:38:44 +02:00
Swachchhanda Shrawan Poudel c3ad686ac4 Merge PR #5935 from @swachchhanda000 - Fix Registry Tampering by Potentially Suspicious Processes 
fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-14 14:49:20 +02:00
EzLucky d4d12bdd13 Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage 
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted 
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-04-01 13:57:31 +02:00
Florian Roth 7fc53c563e Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder 
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Thanks: @marius-benthin
 2026-04-01 13:55:12 +02:00
netikus 7031934d17 Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege 
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-04-01 13:36:52 +02:00
Axel-NTT 3fe2695635 Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed 
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
 2026-04-01 13:16:52 +02:00
Swachchhanda Shrawan Poudel 4bb5637b23 Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules 
new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
new: LiteLLM / TeamPCP Supply Chain Attack Indicators

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-01 13:11:45 +02:00
Florian Roth c6d03adc7b Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration 
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
 2026-04-01 12:35:29 +02:00
github-actions[bot] 858b04b66a Merge PR #5926 from @phantinuss - Update ATT&CK Heatmap Coverage 
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-04-01 12:34:21 +02:00
github-actions[bot] 11f1fa4e2c Merge PR #5927 from @nasbench - Update deprecated csv 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2026-04-01 12:32:09 +02:00
Swachchhanda Shrawan Poudel 71f1120dc6 Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules 
new: Axios NPM Compromise File Creation Indicators - Linux
new: Axios NPM Compromise File Creation Indicators - MacOS
new: Axios NPM Compromise File Creation Indicators - Windows
new: Axios NPM Compromise Malicious C2 Domain DNS Query
new: Axios NPM Compromise Indicators - Linux
new: Axios NPM Compromise Indicators - MacOS
new: Axios NPM Compromise Indicators - Windows

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-01 12:31:31 +02:00
Swachchhanda Shrawan Poudel 2f84ca2f16 Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules 
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2026-03-30 12:27:13 +02:00
Swachchhanda Shrawan Poudel 56a58e1ee6 Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules 
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-03-29 14:58:59 +02:00
Swachchhanda Shrawan Poudel a15dbdaa05 Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT 
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
 2026-03-19 10:26:30 +01:00
phantinuss c2ba39f94b Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4 
chore: bump evtx-baseline version to 0.8.4

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-03-13 15:04:24 +01:00
Swachchhanda Shrawan Poudel 3c2407864e Merge PR #5857 from @swachchhanda000 - chore: add missing json logs 
chore: add missing json logs
 2026-03-03 12:01:07 +01:00
github-actions[bot] 37fe8969ae Merge PR #5890 from @nasbench - chore: archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-03-02 13:42:54 +01:00
github-actions[bot] 1aae4b0603 Merge PR #5889 from @phantinuss - Update ATT&CK Heatmap Coverage 
* chore: update ATT&CK heatmap

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-03-02 13:38:30 +01:00
Marco Pedrinazzi b596e1a7d0 Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules 
remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2026-03-01 04:16:06 +01:00
Marco Pedrinazzi 084204d06a Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe 
new: System Language Discovery via Reg.Exe

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-03-01 03:55:40 +01:00
Djordje Lukic 5f5e72cff7 Merge PR #5885 from @djlukic - Add New FP Filters 
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-03-01 03:47:59 +01:00
Marco Pedrinazzi 3fb14d9544 Merge PR #5844 from @marcopedrinazzi - Add Inbox Rules Creation Or Update Activity in O365 
new: Inbox Rules Creation Or Update Activity in O365
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-02-28 14:32:33 +01:00
Swachchhanda Shrawan Poudel 41c8116d0e Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries 
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry


---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-02-28 14:21:29 +01:00
Kostas 6db81c99bd Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature 
new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-02-28 14:12:49 +01:00
Florian Roth 086a362b0f Merge PR #5875 from @Neo23x0 - Fix BloodHound Collection Files 
fix: BloodHound Collection Files - Remove entry `_domains.json` due to FP rate.
 2026-02-28 14:06:13 +01:00
Swachchhanda Shrawan Poudel dc3880459d Merge PR #5863 from @swachchhanda000 - Add finger.exe to related rules 
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
 2026-02-16 12:50:13 +01:00
Swachchhanda Shrawan Poudel 14d11fdda7 Merge PR from @swachchhanda000 - SolarWinds WebHelpDesk RCE Vulnerabilites Exploitation 
new: Suspicious Child Process of SolarWinds WebHelpDesk

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2026-02-13 07:21:03 +05:45
github-actions[bot] 1df103ce6d Merge PR #5852 from @nasbench - Open Archive New Rule References 
chore: archive new rule references and update cache file
-----
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-02-10 14:48:39 +05:45
github-actions[bot] 02f6d3716d Merge #5851 from @nasbench - Update deprecated csv 
chore: update deprecated.csv and deprecated.json

------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-02-10 14:44:07 +05:45
Swachchhanda Shrawan Poudel 76f4a42ebb Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules 
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe

---------

Co-authored-by: nasbench <nbencher@cisco.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-02-04 12:08:03 +01:00
github-actions[bot] fb37712ca7 Merge PR #5850 from @phantinuss - Update ATT&CK Heatmap Coverage 
* chore: update ATT&CK heatmap

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2026-02-03 11:33:49 +01:00