security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
16,397 Commits 1 Branch 57 Tags
ced93a8d170e80984da789df820e07104f2df9bf
Commit Graph

5007 Commits

Author SHA1 Message Date
Swachchhanda Shrawan Poudel ced93a8d17 Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools 
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-04-17 00:39:23 +02:00
Swachchhanda Shrawan Poudel fa27f1bc54 Merge PR #5224 from @swachchhanda000 - Fix Multiple FPs 
update: Elevated System Shell Spawned - Add `powershell_ise`
fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for `C:\Windows\SystemTemp\`
fix: Python Initiated Connection - Enhance python filter
fix: Conhost Spawned By Uncommon Parent Process - Add filter for `'-k wusvcs -p -s WaaSMedicSvc`
update: Elevated System Shell Spawned From Uncommon Parent Location - Add `powershell_ise`
fix: Potential WinAPI Calls Via CommandLine - Add new filter for `CompatTelRunner`
fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent
fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-04-07 11:05:53 +02:00
DFIR-Detection 13b9a509d4 Merge PR #5198 from @DFIR-Detection - Add Notepad Password Files Discovery 
new: Notepad Password Files Discovery

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-03-05 00:24:11 +01:00
github-actions[bot] 64852d95a9 Merge PR #5216 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-05 00:23:27 +01:00
Swachchhanda Shrawan Poudel f4d86e8f37 Merge PR #5204 from @swachchhanda000 - Update Malicious PowerShell Scripts and Cmdlets Rules 
update: Malicious PowerShell Scripts - FileCreation - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Scripts - PoshModule - Add `Veeam-Get-Creds.ps1`
update: Malicious PowerShell Commandlets - PoshModule - Add `Veeam-Get-Creds`
update: Malicious PowerShell Commandlets - ProcessCreation - Add `Veeam-Get-Creds`
 2025-03-05 00:21:08 +01:00
Swachchhanda Shrawan Poudel f784916130 Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules 
update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the `AnyDesk MSI` Service
update: Suspicious Binary Writes Via AnyDesk - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Incoming Connection - Add `AnyDeskMSI.exe`
update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add `AnyDeskMSI.exe`
update: Remote Access Tool - AnyDesk Execution - Add `AnyDeskMSI.exe`
 2025-03-05 00:19:19 +01:00
Swachchhanda Shrawan Poudel f3de589d08 Merge PR #5202 from @swachchhanda000 - Added coverage rundll32 ordinal obfuscation attempts. 
update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-02-25 22:32:55 +01:00
Mohamed Ashraf 7f83008e9e Merge PR #5173 from @X-Junior - New rule additions and some fixes 
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
fix: Python Initiated Connection - Add filter for `pip install`
fix: Python Inline Command Execution - Add filter for whl package installations
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-02-22 23:57:41 +01:00
Swachchhanda Shrawan Poudel 1de2b1c30f Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules 
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
 2025-02-17 12:11:55 +01:00
Swachchhanda Shrawan Poudel 0d25ad1855 Merge PR #5184 from @swachchhanda000 - Add PUA - NimScan Execution 
new: PUA - NimScan Execution
 2025-02-17 12:07:45 +01:00
Mohamed Ashraf 75b51c76b5 Merge PR #5195 from @X-Junior - Fix Schtasks Creation Or Modification With SYSTEM Privileges 
fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
 2025-02-17 12:04:28 +01:00
github-actions[bot] 2bfb0935a0 Merge PR #5177 from @nasbench - promote older rules status from experimental to test
Create Release / Create Release (push) Has been cancelled
Details 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-02-03 18:23:12 +01:00
Josh Brower 48d5c5064c Merge PR #5168 from @defensivedepth - Prepend algo to hash values 
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
 2025-01-22 22:29:33 +01:00
github-actions[bot] 8734022722 Merge PR #5149 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-01-06 15:36:19 +01:00
Daniel Koifman 7c830458e7 Merge PR #5138 from @DanielKoifman - Update Suspicious Windows Service Tampering 
update: Suspicious Windows Service Tampering - Add additional services
 2024-12-27 16:29:04 +01:00
z00t 8e8b86aab9 Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage 
new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 18:07:19 +01:00
Florian Roth 17dcad456f Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation 
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:44:55 +02:00
Matthew Green 2a0c9b5550 Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries 
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
 2024-12-03 22:14:54 +01:00
Nasreddine Bencherchali 6048be5a7a Merge PR #5106 from @nasbench - Add SID version of integrity levels 
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
 2024-12-01 23:29:17 +01:00
frack113 6e71f6ad5e Merge PR #5046 from @frack113 - Add Setup16.EXE Execution With Custom .Lst File 
new: Setup16.EXE Execution With Custom .Lst File

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-12-01 17:35:53 +01:00
Swachchhanda Shrawan Poudel f39c9acbc4 Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal 
new: Suspicious ShellExec_RunDLL Call Via Ordinal 

---------

Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-01 17:32:36 +01:00
github-actions[bot] 9367349016 Merge PR #5101 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-12-01 13:40:32 +01:00
frack113 d804e9cba1 Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-25 09:30:14 +01:00
Gameel Ali 5aa899415b Merge PR #5075 from @MalGamy12 - Update Potentially Suspicious Cabinet File Expansion 
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares 

---------

Co-authored-by: nasbench <nasreddineb@splunk.com>
 2024-11-17 23:46:53 +01:00
Florian Roth 5d1cf4b9de Merge PR #5076 from @Neo23x0 - Fix Suspicious SYSTEM User Process Creation 
fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
 2024-11-13 23:21:16 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
Gameel Ali ad8ab49d45 Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE 
Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-28 12:25:02 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Sittikorn S 86989a0464 Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution 
update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt' 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:37:23 +02:00
Feathers 5b59c6d115 Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI 
update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header. 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-06 23:03:54 +02:00
github-actions[bot] 08c52c367c Merge PR #5027 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-10-01 14:56:09 +02:00
Kostas 014d169f83 Merge PR #5020 from @tsale - Add Remote Access Tool - MeshAgent Command Execution via MeshCentral 
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-22 19:26:02 +02:00
Fukusuke Takahashi 132482818e Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references 
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379  - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
 2024-09-13 11:14:11 +02:00
secDre4mer ab2fb36426 Merge PR #5002 from @secDre4mer - Update Potential CommandLine Obfuscation Using Unicode Characters rules 
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0`
update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-06 11:42:04 +02:00
Michael Haag b724a7f59d Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access 
new: PowerShell Web Access Feature Enabled Via DISM
new: PowerShell Web Access Installation - PsScript 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-09-03 22:17:47 +02:00
Nasreddine Bencherchali b86a494f55 Merge PR #4993 from @nasbench - Fix Issues 
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
 2024-09-02 19:03:46 +02:00
github-actions[bot] 839f5636f5 Merge PR #4991 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-09-02 10:01:36 +02:00
Kostas 2851ef5d16 Merge PR #4961 from @tsale - Add multiples rules and updates 
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-29 19:21:47 +02:00
Nasreddine Bencherchali 4cd51a3dd5 Merge PR #4937 from @nasbench - Multiple updates and fixes 
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases
fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs
fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions
fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe
fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files
fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS"
update: Cab File Extraction Via Wusa.EXE - Move to TH folder
update: COM Object Execution via Xwizard.EXE - Update logic
update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
 2024-08-29 14:43:32 +02:00
Mohamed Ashraf 5c4f599e3a Merge PR #4982 from @X-Junior - Update scheduled task related rules 
update: Suspicious Windows Service Tampering - Add additional services and PsService.EXE
update: Disable Important Scheduled Task - Add `\Windows\ExploitGuard\ExploitGuard MDM policy Refresh` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-26 10:20:57 +02:00
Omar A. 9b3c363cd0 Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains 
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-23 11:16:06 +02:00
Omar A. 0504f18f6b Merge PR #4948 from @omaramin17 - Add Data Export From MSSQL Table Via BCP.EXE 
new: Data Export From MSSQL Table Via BCP.EXE
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @Mahir-Ali-khan
 2024-08-20 14:26:12 +02:00
Kostas 7e93682e0d Merge PR #4974 from @tsale - Add Potentially Suspicious Rundll32.EXE Execution of UDL File 
new: Potentially Suspicious Rundll32.EXE Execution of UDL File 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-16 21:16:56 +02:00
frack113 adff65f9aa Merge PR #4973 from @frack113 - Fix date format for some rules along with a broken logsource field 
chore: update date format for some rules
fix: HackTool - LaZagne Execution - Fix incorrect logsource
 2024-08-16 12:37:51 +02:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
Fukusuke Takahashi c8a376179b Merge PR #4964 from @fukusuket - Fix rules to not use Lookahead regex 
fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex
fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-11 11:54:46 +02:00
peterydzynski ace902b68f Merge PR #4957 from @peterydzynski - Update regex for Powershell Token Obfuscation rules 
update: Powershell Token Obfuscation - Process Creation - Optimized used regex
update: Powershell Token Obfuscation - Powershell - Optimized used regex
chore: Fixed SigmaHQ conventions broken links
 2024-08-10 13:26:42 +02:00
Fukusuke Takahashi dbba992bc3 Merge PR #4960 from @fukusuket - Update unreachable/broken references 
chore: Unix Shell Configuration Modification - Update unreachable/broken references
chore: JNDIExploit Pattern - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references
chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references
chore: Potential Dead Drop Resolvers - Update unreachable/broken references
chore: HackTool - SecurityXploded Execution - Update unreachable/broken references
chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references
chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references
chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references
chore: PUA - AdvancedRun Execution - Update unreachable/broken references
chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references
chore: PUA - NSudo Execution - Update unreachable/broken references
chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references
chore: Suspect Svchost Activity - Update unreachable/broken references
chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references
chore: Turla PNG Dropper Service - Update unreachable/broken references
chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references
chore: .Class Extension URI Ending Request - Update unreachable/broken references
chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
 2024-08-10 12:52:28 +02:00
Fukusuke Takahashi 8ff9cd8d20 Merge PR #4958 from @fukusuket - Update unreachable/broken references 
chore: Credential Dumping Tools Accessing LSASS Memory
chore: Potential MFA Bypass Using Legacy Client Authentication
chore: Possible DC Shadow Attack
chore: Potential Privileged System Service Operation - SeLoadDriverPrivilege
chore: Remote Thread Creation In Uncommon Target Image
chore: RDP File Creation From Suspicious Application
chore: Suspicious PROCEXP152.sys File Created In TMP
chore: Outbound Network Connection Initiated By Microsoft Dialer
chore: NTFS Alternate Data Stream
chore: PowerShell Get-Process LSASS in ScriptBlock
chore: Windows Firewall Profile Disabled
chore: Potentially Suspicious GrantedAccess Flags On LSASS
chore: HackTool - PCHunter Execution
chore: Mstsc.EXE Execution With Local RDP File
chore: Suspicious Mstsc.EXE Execution With Local RDP File
chore: Mstsc.EXE Execution From Uncommon Parent
chore: PowerShell Get-Process LSASS
chore: LSASS Access From Program In Potentially Suspicious Folder
chore: Uncommon GrantedAccess Flags On LSASS 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @fukusuket
 2024-08-10 01:23:58 +02:00
Josh 8254c4f36d Merge PR #4955 from @joshnck - Fix agentexecutor.exe related rules 
fix: AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe`
fix: Suspicious AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-08-07 16:01:47 +02:00