security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,397 Commits 1 Branch 57 Tags
ced93a8d170e80984da789df820e07104f2df9bf
Commit Graph

16397 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Swachchhanda Shrawan Poudel ced93a8d17 Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools 
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:39:23 +02:00
Nasreddine Bencherchali 3946f672f0 Merge PR #5256 from @nasbench - Update Potential CVE-2023-23397 Exploitation Attempt - SMB 
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
 2025-04-10 15:07:45 +02:00
Florian Roth c72928b430 Merge PR #5241 from @Neo23x0 - Update Potential CVE-2023-23397 Exploitation Attempt - SMB 
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:10:52 +02:00
Florian Roth 357838c404 Merge PR #5237 from @Neo23x0 - Update Buffer Overflow Attempts 
update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
 2025-04-07 11:08:55 +02:00
Nick Lupien e874eaf58e Merge PR #5236 from @nickatrecon - Update AWS New Lambda Layer Attached 
update: AWS New Lambda Layer Attached - Enhance metadata and logic

---------

Thanks: imall4n
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:07:50 +02:00
Swachchhanda Shrawan Poudel fa27f1bc54 Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs 
update: Elevated System Shell Spawned - Add `powershell_ise`
fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for `C:\Windows\SystemTemp\`
fix: Python Initiated Connection - Enhance python filter
fix: Conhost Spawned By Uncommon Parent Process - Add filter for `'-k wusvcs -p -s WaaSMedicSvc`
update: Elevated System Shell Spawned From Uncommon Parent Location - Add `powershell_ise`
fix: Potential WinAPI Calls Via CommandLine - Add new filter for `CompatTelRunner`
fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent
fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:05:53 +02:00
frack113 166af991c0 Merge PR #4886 from @frack113 - Add Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock 
new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:02:17 +02:00
Derek Armstrong 78a78c79ff Merge PR #5229 from @dsplice - Update Potential APT FIN7 Exploitation Activity 
update: Potential APT FIN7 Exploitation Activity - Add false positive description
 2025-03-16 03:19:44 +01:00
Gude5 eda06d1a3b Merge PR #5227 from @Gude5 - Fix small typos in deprecated rules 
fix: Indirect Command Exectuion via Forfiles - wrong keyword
fix: PowerShell Execution - wrong date format
 2025-03-16 03:09:53 +01:00
github-actions[bot] 4a3cb8b774 Merge PR #5230 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-16 03:08:28 +01:00
frack113 3ce034bb20 Merge PR #4858 from @frack113 - Add summary csv file, workflow and generation script for deprecated rules 
chore: add summary csv file, workflow and generation script for deprecated rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-03-05 00:59:36 +01:00
Milad Cheraghi a719612ab8 Merge PR #5098 from @CheraghiMilad - Update Service Reload or Start - Linux 
update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:50:23 +01:00
DFIR-Detection 13b9a509d4 Merge PR #5198 from @DFIR-Detection - Add Notepad Password Files Discovery 
new: Notepad Password Files Discovery

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:24:11 +01:00
github-actions[bot] 64852d95a9 Merge PR #5216 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:27 +01:00
github-actions[bot] 2b421e3fd7 Merge PR #5217 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:03 +01:00
Swachchhanda Shrawan Poudel f4d86e8f37 Merge PR #5204 from @swachchhanda000 - Update Malicious PowerShell Scripts and Cmdlets Rules 
update: Malicious PowerShell Scripts - FileCreation - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Scripts - PoshModule - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Commandlets - PoshModule - Add `Veeam-Get-Creds`
update: Malicious PowerShell Commandlets - ProcessCreation - Add `Veeam-Get-Creds`
 2025-03-05 00:21:08 +01:00
Swachchhanda Shrawan Poudel f784916130 Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules 
update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the `AnyDesk MSI` Service
update: Suspicious Binary Writes Via AnyDesk - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Incoming Connection - Add `AnyDeskMSI.exe`
update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Execution - Add `AnyDeskMSI.exe`
 2025-03-05 00:19:19 +01:00
Hannes Widéen 54496e2e0d Merge PR #5211 from @HannesWid - Update Nslookup PowerShell Download Cradle 
update: Nslookup PowerShell Download Cradle - Add additional coverage with `-type=txt http`
 2025-03-05 00:17:38 +01:00
signalblur a61484efb6 Merge PR #5214 from @signalblur - Add HTTP Request to Low Reputation TLD or Suspicious File Extension 
new: HTTP Request to Low Reputation TLD or Suspicious File Extension
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:13:45 +01:00
Florian Roth 5711c8a2f4 Merge PR #5215 from @Neo23x0 - Fix typo in falsepositives section 
chore: fix typo in falsepositive section
 2025-02-28 15:49:36 +01:00
Swachchhanda Shrawan Poudel f3de589d08 Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts. 
update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-02-25 22:32:55 +01:00
Carrie Roberts f3e5d51f7b Merge PR #5210 from @clr2of8 - Update Attack Nav layer Version,Title and Color 
chore: Update the ATT&CK Nav layer version to avoid warnings and upgrade prompts when loaded into the navigator. Give the layer a representative title and adjust the color scheme used to be more meaningful,
 2025-02-24 18:44:38 +01:00
frack113 9bbd096e47 Merge PR #5201 from @frack113 - Update MITRE ATT&CK Heatmap 
chore: update MITRE heatmap

Thanks: clr2of8
 2025-02-24 13:01:36 +01:00
Isaac Fernandes 3fb1894a79 Merge PR #5136 from @Eyezuhk - Add Potential CVE-2024-35250 Exploitation Activity 
new: Potential CVE-2024-35250 Exploitation Activity
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-02-24 12:58:40 +01:00
Mohamed Ashraf 7f83008e9e Merge PR #5173 from @X-Junior - New rule additions and some fixes 
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
fix: Python Initiated Connection - Add filter for `pip install`
fix: Python Inline Command Execution - Add filter for whl package installations
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-22 23:57:41 +01:00
frack113 c779fc5424 Merge PR #5200 from @frack113 - Fix typo in selection name 
chore: fix selection name
 2025-02-22 23:47:24 +01:00
Koifman de0c3f3a83 Merge PR #5182 from @Koifman - Update Windows Event Log Access Tampering Via Registry 
update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:49:00 +01:00
Mohamed Ashraf 41bef8eed5 Merge PR #5189 from @X-Junior - Add Potentially Suspicious WDAC Policy File Creation 
new: Potentially Suspicious WDAC Policy File Creation

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:46:16 +01:00
Arda Büyükkaya 0a34bc4d50 Merge PR #5192 from @whichbuffer - Add Kalambur Backdoor Curl TOR SOCKS Proxy Execution 
new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-17 12:33:20 +01:00
Swachchhanda Shrawan Poudel 1de2b1c30f Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules 
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
 2025-02-17 12:11:55 +01:00
Swachchhanda Shrawan Poudel 0d25ad1855 Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution 
new: PUA - NimScan Execution
 2025-02-17 12:07:45 +01:00
github-actions[bot] c0aa75845b Merge PR #5194 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-17 12:04:58 +01:00
Mohamed Ashraf 75b51c76b5 Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges 
fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
 2025-02-17 12:04:28 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
r2025-02-03 		2025-02-03 18:23:12 +01:00
github-actions[bot] 1d8c84387f Merge PR #5178 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:22:38 +01:00
GtUGtHGtNDtEUaE da7a8305f1 Merge PR #5176 from @GtUGtHGtNDtEUaE - Update rules covering EventID 4660 
remove: Windows Defender Exclusion Deleted
fix: WCE wceaux.dll Access - Remove EventIDs `4658` and `4660` as they both do not contain the `ObjectName` field
 2025-01-31 18:08:59 +01:00
Mohamed Ashraf 3724456d62 Merge PR #5162 from @X-Junior - Add Windows Event Log Access Tampering Via Registry 
new: Windows Event Log Access Tampering Via Registry

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-01-30 21:31:26 +01:00
frack113 62f6d27977 Merge PR #5169 from @frack113 - Add missing detection.emerging-threats tags 
chore: add missing `detection.emerging-threats` tags
 2025-01-30 21:30:17 +01:00
Djordje Lukic 92989a4f74 Merge PR #5167 from @djlukic - Fix multiple false positives found in the wild 
fix: Failed Code Integrity Checks - Add filters for `CrowdStrike`.
fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:15:39 +01:00
Kostas 56203e5241 Merge PR #5174 from @tsale - Add Suspicious Binaries and Scripts in Public Folder 
new: Suspicious Binaries and Scripts in Public Folder

---------

Co-authored-by: Detections <Detections@thedfirreport.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-30 21:13:42 +01:00
frack113 a99b163c93 Merge PR #5166 from @frack113 - Fix Privileged User Has Been Created 
fix: Privileged User Has Been Created - Add missing comma to avoid false positives
 2025-01-22 22:30:58 +01:00
Josh Brower 48d5c5064c Merge PR #5168 from @defensivedepth - Prepend algo to hash values 
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
 2025-01-22 22:29:33 +01:00
Renan LAVAREC fb27bee6d8 Merge PR #5152 from @Ti-R - Fix Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load 
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter `C:\ProgramData\Package Cache\{` to account for cases like the execution of `vcredist`

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:02:29 +01:00
Josh 083eb54e30 Merge PR #5157 from @joshnck - Add Azure Login Bypassing Conditional Access Policies 
new: Azure Login Bypassing Conditional Access Policies
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:00:59 +01:00
Florian Roth 06a5d08508 Merge PR #5163 from @Neo23x0 - Add/Update Rsync Linux Rules 
update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
new: Suspicious Invocation of Shell via Rsync

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 21:55:40 +01:00
github-actions[bot] f3a3392bd2 Merge PR #5161 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-01-19 21:43:16 +01:00
Florian Roth 961753afb0 Merge PR #5164 from @Neo23x0 - Update Exploit Framework User Agent 
update: Exploit Framework User Agent - Add default Havoc C2 UA
 2025-01-19 21:42:40 +01:00
Florian Roth b162730502 Merge PR #5159 from @Neo23x0 - Fix Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation 
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for `\Windows\SoftwareDistribution\Download\`
 2025-01-15 12:25:00 +01:00
samuelmonsempessenthorus fad4742996 Merge PR #5155 from @samuelmonsempessenthorus - Add CVE-2024-49113 Exploitation Attempt - LDAP Nightmare 
new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2025-01-08 23:16:36 +01:00
Burak Karaduman bd2a4c37ef Merge PR #5153 from @krdmnbrk - Add AttackRuleMap to README.md 
chore: add `AttackRuleMap` project to README.md
 2025-01-07 19:00:37 +01:00