d4d12bdd13
Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage
...
update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-01 13:57:31 +02:00
7fc53c563e
Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and double extension in icons folder
...
fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Thanks: @marius-benthin
2026-04-01 13:55:12 +02:00
7031934d17
Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege
...
fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-04-01 13:36:52 +02:00
3fe2695635
Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed
...
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
2026-04-01 13:16:52 +02:00
4bb5637b23
Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules
...
new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
new: LiteLLM / TeamPCP Supply Chain Attack Indicators
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-01 13:11:45 +02:00
c6d03adc7b
Merge PR #5924 from @Neo23x0 - Fix Security Support Provider (SSP) Added to LSA Configuration
...
fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for `null` image field
2026-04-01 12:35:29 +02:00
858b04b66a
Merge PR #5926 from @phantinuss - Update ATT&CK Heatmap Coverage
...
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-01 12:34:21 +02:00
11f1fa4e2c
Merge PR #5927 from @nasbench - Update deprecated csv
...
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-04-01 12:32:09 +02:00
71f1120dc6
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
...
new: Axios NPM Compromise File Creation Indicators - Linux
new: Axios NPM Compromise File Creation Indicators - MacOS
new: Axios NPM Compromise File Creation Indicators - Windows
new: Axios NPM Compromise Malicious C2 Domain DNS Query
new: Axios NPM Compromise Indicators - Linux
new: Axios NPM Compromise Indicators - MacOS
new: Axios NPM Compromise Indicators - Windows
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-04-01 12:31:31 +02:00
2f84ca2f16
Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules
...
new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-03-30 12:27:13 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
a15dbdaa05
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
...
fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule
2026-03-19 10:26:30 +01:00
c2ba39f94b
Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4
...
chore: bump evtx-baseline version to 0.8.4
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-03-13 15:04:24 +01:00
3c2407864e
Merge PR #5857 from @swachchhanda000 - chore: add missing json logs
...
chore: add missing json logs
2026-03-03 12:01:07 +01:00
37fe8969ae
Merge PR #5890 from @nasbench - chore: archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2026-03-02 13:42:54 +01:00
1aae4b0603
Merge PR #5889 from @phantinuss - Update ATT&CK Heatmap Coverage
...
* chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-03-02 13:38:30 +01:00
b596e1a7d0
Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules
...
remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2026-03-01 04:16:06 +01:00
084204d06a
Merge PR #5845 from @marcopedrinazzi - Add System Language Discovery via Reg.Exe
...
new: System Language Discovery via Reg.Exe
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:55:40 +01:00
5f5e72cff7
Merge PR #5885 from @djlukic - Add New FP Filters
...
fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-03-01 03:47:59 +01:00
3fb14d9544
Merge PR #5844 from @marcopedrinazzi - Add Inbox Rules Creation Or Update Activity in O365
...
new: Inbox Rules Creation Or Update Activity in O365
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:32:33 +01:00
41c8116d0e
Merge PR #5856 from @swachchhanda000 - Add CPL sideloading and Fsquirt entries
...
update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
update: System File Execution Location Anomaly - Add fsquirt.exe entry
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:21:29 +01:00
6db81c99bd
Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature
...
new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-02-28 14:12:49 +01:00
086a362b0f
Merge PR #5875 from @Neo23x0 - Fix BloodHound Collection Files
...
fix: BloodHound Collection Files - Remove entry `_domains.json` due to FP rate.
2026-02-28 14:06:13 +01:00
dc3880459d
Merge PR #5863 from @swachchhanda000 - Add finger.exe to related rules
...
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
2026-02-16 12:50:13 +01:00
14d11fdda7
Merge PR from @swachchhanda000 - SolarWinds WebHelpDesk RCE Vulnerabilites Exploitation
...
new: Suspicious Child Process of SolarWinds WebHelpDesk
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-02-13 07:21:03 +05:45
1df103ce6d
Merge PR #5852 from @nasbench - Open Archive New Rule References
...
chore: archive new rule references and update cache file
-----
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-02-10 14:48:39 +05:45
02f6d3716d
Merge #5851 from @nasbench - Update deprecated csv
...
chore: update deprecated.csv and deprecated.json
------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-02-10 14:44:07 +05:45
76f4a42ebb
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
...
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe
---------
Co-authored-by: nasbench <nbencher@cisco.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-04 12:08:03 +01:00
fb37712ca7
Merge PR #5850 from @phantinuss - Update ATT&CK Heatmap Coverage
...
* chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-02-03 11:33:49 +01:00
478120e7d2
Merge PR #5814 from @swachchhanda000 - Add New Credential Guard Tampering Rules
...
Goodlog Tests / check-baseline-win7 (push) Waiting to run
Goodlog Tests / check-baseline-win10 (push) Waiting to run
Goodlog Tests / check-baseline-win11 (push) Waiting to run
Goodlog Tests / check-baseline-win11-2023 (push) Waiting to run
Goodlog Tests / check-baseline-win2022 (push) Waiting to run
Goodlog Tests / check-baseline-win2022-domain-controller (push) Waiting to run
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Waiting to run
Regression Tests / true-positive-tests (push) Waiting to run
Create Release / Create Release (push) Waiting to run
Sigma Rule Tests / yamllint (push) Waiting to run
Sigma Rule Tests / test-sigma-logsource (push) Blocked by required conditions
Sigma Rule Tests / test-sigma-legacy (push) Blocked by required conditions
Sigma Rule Tests / sigma-check (push) Blocked by required conditions
Sigma Rule Tests / duplicate-id-check (push) Blocked by required conditions
Validate Sigma rules / sigma-rules-validator (push) Waiting to run
new: Windows Credential Guard Registry Tampering Via CommandLine
new: Windows Credential Guard Related Registry Value Deleted - Registry
new: Windows Credential Guard Disabled - Registry
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-01-29 12:52:08 +01:00
c6a32d96cf
Merge PR #5813 from @swachchhanda000 - Add New AMSI Tampering Rules
...
new: Windows AMSI Related Registry Tampering Via CommandLine
new: AMSI Disabled via Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:38:48 +01:00
2022e3b420
Merge PR #5802 from @swachchhanda000 - Update Bitsadmin Rules With Regresstion Data
...
new: Legitimate Application Writing Files In Uncommon Location
update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
chore: add regression tests for bitsadmin related rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-29 12:37:55 +01:00
e77233ab2f
Merge PR #5824 from @swachchhanda000 - Update User Shell Folders Registry Modification Rules
...
update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
new: User Shell Folders Registry Modification via CommandLine
update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
2026-01-29 12:23:46 +01:00
a4ddc7a414
Merge PR #5842 from @swachchhanda000 - chore: update thor.yml with missing file_change category
...
chore: update thor.yml with missing file_change category
2026-01-29 09:25:27 +01:00
3d8c650ba2
Merge PR #5811 from @swachchhanda000 - Add New Vulnerable Driver Blocklist and HVCI Tampering Based Rules
...
new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
new: Windows Vulnerable Driver Blocklist Disabled
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 23:53:42 +01:00
092b852af3
Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets
...
new: Cmd Launched with Hidden Start Flags to Suspicious Targets
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-26 20:02:52 +01:00
d5188c36a1
Merge PR #5487 from @swachchhanda000 - Update Registry Shell Open Related Rules
...
update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
new: Suspicious Shell Open Command Registry Modification
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 18:54:59 +01:00
77f4b0b2ec
Merge PR #5741 from @swachchhanda000 - Add Splunk Rules for MSIX/AppX
...
new: Successful MSIX/AppX Package Installation
new: Windows AppX Deployment Full Trust Package Installation
new: Windows AppX Deployment Unsigned Package Installation
new: Windows MSIX Package Support Framework AI_STUBS Execution
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 17:04:41 +01:00
c0af81c9d2
Merge PR #5823 from @darses - Update DNS Query to External Service Interaction Domains
...
update: DNS Query to External Service Interaction Domains - Changed modifier to endswith for better accuracy and add additional domains.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:37:27 +01:00
30aebbb65c
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
...
new: PUA - Kernel Driver Utility (KDU) Execution
new: Devcon Execution Disabling VMware VMCI Device
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:36:29 +01:00
01b23770b8
Merge PR #5826 from @marcopedrinazzi - Add New OpenCanary Rules
...
new: OpenCanary - NMAP FIN Scan
new: OpenCanary - NMAP NULL Scan
new: OpenCanary - NMAP OS Scan
new: OpenCanary - NMAP XMAS Scan
new: OpenCanary - Host Port Scan (SYN Scan)
new: OpenCanary - RDP New Connection Attempt
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:32:10 +01:00
ad3a650641
Merge PR #5476 from @swachchhanda000 - Update SquiblyTwo Related Rules
...
update: WMIC Loading Scripting Libraries - Update metadata
update: Potential SquiblyTwo Technique Execution - Extend coverage for remote execution
update: XSL Script Execution Via WMIC.EXE - Filter out remote execution parameters to avoid duplicate alerting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:25:13 +01:00
222a2e2992
Merge PR #5749 from @swachchhanda000 - Update Phantom DLL hijacking Rules
...
update: Creation Of Non-Existent System DLL - Add new DLLs and update metadata
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add new DLLs and update metadata
new: Registry Modification for OCI DLL Redirection
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2026-01-24 12:04:15 +01:00
076da17939
Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules
...
new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-01-24 11:51:42 +01:00
e443d5cbf8
Merge PR #5839 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2026-01-17 13:03:58 +01:00
6fe7343bf7
Merge PR #5822 from @EzLucky - fix: spelling errors in description and filename
...
update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
chore: Local System Accounts Discovery - Linux - fix small typo on 'system' word in description
2026-01-05 13:01:17 +05:45
c5e6d0ecd5
Merge PR #5820 from @nasbench - Update deprecated csv
...
chore: update deprecated.csv and deprecated.json
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2026-01-01 12:23:20 +01:00
8afdcc4321
Merge PR #5821 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2026-01-01 12:22:51 +01:00
1cfdf4f82e
Merge PR #5819 from @phantinuss - Update ATT&CK Heatmap Coverage
...
chore: update ATT&CK heatmap
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-01-01 12:00:53 +01:00
c8b1a0ff67
Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules
...
update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules
2025-12-25 20:50:48 +05:45
EzLucky