security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
16,551 Commits 1 Branch 57 Tags
d2dcc579e8f905aa3e255ec2e2a3dcac7f94dca6
Commit Graph

12824 Commits

Author SHA1 Message Date
david-syk d2dcc579e8 Merge PR #5631 from @ david-syk - remove trailing slash 
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-09-22 12:15:35 +02:00
Swachchhanda Shrawan Poudel fe015f3c24 Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling 
new: Suspicious Velociraptor Child Process
update: Visual Studio Code Tunnel Execution - remove optional flag '--name'
update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
 2025-09-22 12:13:07 +02:00
M1ra1B0T c250aec299 Merge PR #5644 from @M1ra1B0T - Update Provider Name for Kerberos based rules 
update: Certificate Use With No Strong Mapping - Update Provider Name
update: KDC RC4-HMAC Downgrade CVE-2022-37966 - Update Provider Name
update: No Suitable Encryption Key Found For Generating Kerberos Ticket - Update Provider Name

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-09-22 11:50:48 +02:00
Swachchhanda Shrawan Poudel 6c26cf1be9 Merge PR #5639 from @swachchhanda000 - Fix some more fps found in prod 
fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
fix: New Service Creation Using Sc.EXE - add filter for dropbox
fix: Potential PsExec Remote Execution - add filter for localhost
fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
 2025-09-22 11:46:48 +02:00
github-actions[bot] 8062eadcc5 Merge PR #5637 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-09-22 11:41:37 +02:00
phantinuss fe5e698723 Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers" 
chore: this reverts commit 8a2e4c16b9.
 2025-08-28 20:11:57 +02:00
phantinuss 8a2e4c16b9 Merge PR #5628 from @phantinuss - chore: improve windash order in modifiers 
chore: improve windash order in modifiers
 2025-08-26 11:46:36 +02:00
Swachchhanda Shrawan Poudel eeca352f5f Merge PR #5544 from @swachchhanda000 - Add Potential JLI.dll Side-Loading 
new: Potential JLI.dll Side-Loading

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasreddineb@splunk.com>
 2025-08-14 15:14:51 +02:00
phantinuss 4f4f468c4a Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10 
chore: bump pySigma-validators-sigmahq to 0.10
 2025-08-14 14:29:11 +02:00
Koifman 631a23d33c Merge PR #5569 from @Koifman - Add Windows Recovery Environment Disabled Via Reagentc 
new: Windows Recovery Environment Disabled Via Reagentc

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasreddineb@splunk.com>
 2025-08-14 14:27:53 +02:00
Florian Roth 2c8a4d1e3c Merge PR #5583 from @Neo23x0 - Fix Windows Binaries Write Suspicious Extensions 
fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
 2025-08-14 14:09:46 +02:00
Liran Ravich c71512aa86 Merge PR #5579 from @Liran017 - Update MITRE ATT&CK tags for multiple rules 
chore: update MITRE ATT&CK tags for multiple rules
 2025-08-14 14:08:21 +02:00
github-actions[bot] e8fed8709c Merge PR #5572 from @nasbench - Promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:05:46 +02:00
Mohamed Ashraf c48c992f70 Update registry_set_disable_windows_event_log_access.yml 2025-08-06 11:20:57 +03:00
Mohamed Ashraf (X__Junior) 5d17770949 Update registry_set_disable_windows_event_log_access.yml 2025-08-06 10:48:53 +03:00
Koifman 73444cac35 Merge PR #5568 from @Koifman - Password Never Expires Set via WMI 
new: Password Never Expires Set via WMI
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-31 12:28:06 +02:00
Liran Ravich 4965c257d1 Merge PR #5559 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Mega.nz - MITRE tag
 2025-07-30 14:30:55 +02:00
Liran Ravich 578ae3026f Merge PR #5558 from @Liran017 - update MITRE tag 
update: Suspicious Dropbox API Usage - MITRE tags
 2025-07-30 14:30:04 +02:00
Liran Ravich bf633a8ea6 Merge PR #5561 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Visual Studio Code Tunnels Domain - MITRE tags
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-30 13:17:17 +02:00
Liran Ravich 6fb5b3f932 Merge PR #5562 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To BTunnels Domains - MITRE tags
 2025-07-30 13:11:29 +02:00
Liran Ravich f354697969 Merge PR #5563 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To Cloudflared Tunnels Domains - MITRE tags
 2025-07-30 13:08:43 +02:00
Liran Ravich bf0431724c Merge PR #5565 from @Liran017 - title fix and update MITRE tag 
fix: Process Initiated Network Connection To Ngrok Domain - fix title and update MITRE tags
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-30 13:06:56 +02:00
Liran Ravich d1cc2814da Merge PR #5564 from @Liran017 - update MITRE tag 
update: Network Connection Initiated To DevTunnels Domain - MITRE tags
 2025-07-30 13:05:31 +02:00
Liran Ravich 141304527f Merge PR #5566 from @Liran017 - update MITRE tag 
update: Suspicious Non-Browser Network Communication With Telegram API - MITRE tag
 2025-07-30 12:59:41 +02:00
Swachchhanda Shrawan Poudel f54972108f Merge PR #5538 from @swachchhanda000 - feat: potential spear-phishing through svg files 
new: Suspicious File Created in Outlook Temporary Directory
remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
update: Suspicious Double Extension Files - add .svg extension
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-07-29 10:30:55 +02:00
Swachchhanda Shrawan Poudel 7a6c451d6d Merge PR #5543 from @ swachchhanda000 - update toolshell related rules 
update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
new: Suspicious File Write to SharePoint Layouts Directory

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 14:22:06 +02:00
Swachchhanda Shrawan Poudel 1e41c5378e Merge PR #5534 from @swachchhanda000 - update PowerShell WebRequest rules 
remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
update: Suspicious Invoke-WebRequest Execution - add powershell_ise
update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:32:57 +02:00
Matt Anderson af492dc0f6 Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion 
new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
new: Windows Defender Context Menu Removed via Reg.exe
new: Disabling Windows Defender WMI Autologger Session via Reg.exe
new: Delete Defender Scan ShellEx Context Menu Registry Key
new: Windows Defender Default Threat Action Modified

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-28 13:25:23 +02:00
peterydzynski c7998c92b3 Merge PR #5530 from @peterydzynski - fix: use correct dash type and add spaces 
fix: Added Credentials to Existing Application - fix filter dash type, capitalization and spaces to match Azure log format

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-07-18 10:51:11 +02:00
Renan LAVAREC 06086ea91e Merge PR #5521 from @Ti-R - also filter SignatureStatus 'valid' 
update: Unsigned DLL Loaded by Windows Utility - also filter SignatureStatus 'valid'

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-07-16 13:44:42 +02:00
Swachchhanda Shrawan Poudel 80879020da Merge PR #5524 from @swachchhanda000 - add 7za to Renamed 7-Zip Execution 
update: Potential Defense Evasion Via Binary Rename - add 7za
 2025-07-16 13:34:33 +02:00
Swachchhanda Shrawan Poudel b7f52495c6 Merge PR #5520 from @swachchhanda000 - Fix Logic in some rules that were causing FPs and FNs 
fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
fix: COM Hijacking via TreatAs - Add filter for integrator.exe
fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
update: System File Execution Location Anomaly - add taskhostw

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:04:39 +02:00
Arnim Rupp 3f3b1540a0 Merge PR #5518 from @ruppde - new rule and updates for ADExplorer 
new: ADExplorer Writing Complete AD Snapshot Into .dat File
update: Active Directory Database Snapshot Via ADExplorer - add more selections
update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 12:02:18 +02:00
Rory dc017f694a Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task 
new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-14 11:14:40 +02:00
Swachchhanda Shrawan Poudel a55bc212ad Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
Create Release / Create Release (push) Has been cancelled
Details 
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2025-07-08 11:35:45 +02:00
Swachchhanda Shrawan Poudel 3201382785 Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora 
fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-08 10:29:01 +02:00
Alfie Champion 75d03ebfb9 Merge PR #5514 from @ajpc500 - Add Filefix TypedPaths Registry rule 
new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-08 10:09:51 +02:00
Mohamed Ashraf fa9c495aa2 Merge PR #5515 from @X-Junior - coverage for Invoke-PowerDPAPI 
update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
 2025-07-07 12:19:55 +02:00
GrepItAll f8b17bff8c Merge PR #5512 from @GrepItAll - fix: use the correct PreAuthType selection field name 
fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-07 10:25:39 +02:00
Grégory Wychowaniec 0597250ee1 Merge PR #5511 from @gregorywychowaniec-zt - add null condition in addition to empty string 
update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-03 11:58:57 +02:00
David Faiß 0e33642058 Merge PR #5478 from @kivi280 - add rule to detect vshadow.exe with -exec parameter 
new: Proxy Execution via Vshadow - detect invocation of `vshadow.exe` with `-exec` to spot hidden malware execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-07-03 11:57:48 +02:00
Swachchhanda Shrawan Poudel 2845e845ee Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS 
new: HackTool - Doppelanger LSASS Dumper Execution
new: HackTool - HollowReaper Execution

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-03 11:55:58 +02:00
Swachchhanda Shrawan Poudel 7a81b073e0 Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-07-03 09:40:29 +02:00
Mohamed Ashraf e597e13d6c Merge PR #5508 by @X-Junior - add CLSIDs to COM Object Hijacking 
update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - add CLSIDs
 2025-07-01 11:47:23 +02:00
github-actions[bot] 4316ad64da Merge PR #5506 from @nasbench -promote older rules status from experimental to test 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:34:38 +02:00
Alfie Champion 8d18ec7df0 Merge PR #5503 from @ajpc500 - include cmd.exe child process 
update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:21:27 +02:00
Mathieu c11a785973 Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers 
new: FileFix - Suspicious Child Process from Browser File Upload Abuse

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-27 12:40:44 +02:00
hashdr1ft 8fd6a5167d Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget 
new: Suspicious Download and Execute Pattern via Curl/Wget

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 12:48:57 +02:00
vx3r b12a3fcbd6 Merge PR #5466 from @vx3r - PowerShell MSI Install via WindowsInstaller COM From Remote Location 
new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
---------

Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-25 11:44:02 +02:00
wieso-itzi 0304ffbbd6 Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing 
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2025-06-24 13:29:27 +02:00