security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
16,342 Commits 1 Branch 57 Tags
e8a6894eca1a86d10ce7601eb29aece905a7cdc2
Commit Graph

12675 Commits

Author SHA1 Message Date
Florian Roth e8a6894eca Merge PR #5132 from @Neo23x0 - Update DNS Query To Remote Access Software Domain From Non-Browser App
Create Release / Create Release (push) Waiting to run
Details 
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `getscreen.me`

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:38:44 +01:00
Ivan S aec72e101d Merge PR #5016 from @saakovv - Add New AWS Lambda Function URL Configuration Created 
new: New AWS Lambda Function URL Configuration Created

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:30:58 +01:00
Ivan S a8d8dcff8f Merge PR #5015 from @saakovv - Add AWS SAML Provider Deletion Activity 
new: AWS SAML Provider Deletion Activity

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 20:30:41 +01:00
Koifman 3449958dbf Merge PR #5041 from @Koifman - Update tags for Register new Logon Process by Rubeus 
chore: update tags for `Register new Logon Process by Rubeus`
 2024-12-19 18:41:14 +01:00
Ivan S 2c13dba9f3 Merge PR #5023 from @saakovv - Add AWS Key Pair Import Activity 
new: AWS Key Pair Import Activity

---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 18:35:28 +01:00
z00t 8e8b86aab9 Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage 
new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-19 18:07:19 +01:00
Djordje Lukic 9f54b01218 Merge PR #5122 from @djlukic - Fix bXOR Operator Usage In PowerShell Command Line - PowerShell Classic 
fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.

---------

Co-authored-by: Djordje Lukic <djordje.lukic@binalyze.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:55:02 +02:00
Florian Roth 17dcad456f Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation 
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:44:55 +02:00
Milad Cheraghi 957c1fc3d9 Merge PR #5119 from @CheraghiMilad - Update Terminate Linux Process Via Kill 
update: Terminate Linux Process Via Kill - Add "xkill"

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:26:02 +02:00
Milad Cheraghi 44775b80b9 Merge PR #5117 from @CheraghiMilad - Update Process Discovery 
update: Process Discovery - Add additional processes like "htop" and "atop"
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 22:24:15 +02:00
Phill Moore a290d22143 Merge PR #5125 from @randomaccess3 - Update Potential Secure Deletion with SDelete 
update: Potential Secure Deletion with SDelete - Enhance metadata

---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2024-12-14 21:55:43 +02:00
Gameel Ali 9b67acfcf6 Merge PR #5126 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-14 21:09:33 +02:00
Milad Cheraghi c6b7a19b59 Merge PR #5099 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
 2024-12-14 20:49:32 +02:00
Florian Roth ee821b8e99 Merge PR #5110 from @Neo23x0 - Update Remote Access Tool Services Have Been Installed - Security 
update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
 2024-12-07 15:47:45 +01:00
Ivan S 58017b6b3f Merge PR #5017 from @saakovv - Add Modification or Deletion of an AWS RDS Cluster 
new: Modification or Deletion of an AWS RDS Cluster
---------

Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com>
Co-authored-by: nasbench <nasreddineb@splunk.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-07 00:19:18 +01:00
Florian Roth 6fd57da131 fix: FPs with NetNTLM downgrade attack (#5108) 
fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-03 22:44:37 +01:00
Matthew Green 2a0c9b5550 Merge PR #5107 from @mgreen27 - Update Potential Defense Evasion Via Rename Of Highly Relevant Binaries 
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
 2024-12-03 22:14:54 +01:00
Nasreddine Bencherchali 6048be5a7a Merge PR #5106 from @nasbench - Add SID version of integrity levels 
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
 2024-12-01 23:29:17 +01:00
frack113 6e71f6ad5e Merge PR #5046 from @frack113 - Add Setup16.EXE Execution With Custom .Lst File 
new: Setup16.EXE Execution With Custom .Lst File

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-12-01 17:35:53 +01:00
Swachchhanda Shrawan Poudel f39c9acbc4 Merge PR #5082 from @swachchhanda000 - Add Suspicious ShellExec_RunDLL Call Via Ordinal 
new: Suspicious ShellExec_RunDLL Call Via Ordinal 

---------

Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2024-12-01 17:32:36 +01:00
Milad Cheraghi aac4335550 Merge PR #5102 from @CheraghiMilad - Update Password Policy Discovery - Linux 
update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:09:27 +01:00
Milad Cheraghi c8e1d66a35 Merge PR #5091 from @CheraghiMilad - Update File and Directory Discovery - Linux 
update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
---------
 
Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 14:07:54 +01:00
Milad Cheraghi af41386535 Merge PR #5097 from @CheraghiMilad - Update System Owner or User Discovery - Linux 
update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last" 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2024-12-01 13:51:14 +01:00
Gameel Ali 995dac17d1 Merge PR #5084 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-12-01 13:48:59 +01:00
github-actions[bot] 9367349016 Merge PR #5101 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-12-01 13:40:32 +01:00
Florian Roth 374f003507 Merge PR #5093 from @Neo23x0 - Fix Creation of WerFault.exe/Wer.dll in Unusual Folder 
fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder `C:\Windows\SoftwareDistribution\`
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-29 13:06:11 +01:00
frack113 d804e9cba1 Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-25 09:30:14 +01:00
Nathan d0e4e78f7a Merge PR #5086 from @AlbinoGazelle - Update ESXCLI reference docs after Broadcom acquisition of VMWare 
chore: update broken references to ESXCLI rules
 2024-11-20 20:44:32 +01:00
Grégory Wychowaniec 6f4c6d7031 Merge PR #5054 from @gregorywychowaniec-zt - Update App Assigned To Azure RBAC/Microsoft Entra Role 
update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-20 20:43:21 +01:00
Jonathan Peters 41a59142d7 Merge PR #5081 from @cod3nym - Add Potential File Extension Spoofing Using Right-to-Left Override 
new: Potential File Extension Spoofing Using Right-to-Left Override 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-18 22:43:01 +01:00
Gameel Ali 5aa899415b Merge PR #5075 from @MalGamy12 - Update Potentially Suspicious Cabinet File Expansion 
update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares 

---------

Co-authored-by: nasbench <nasreddineb@splunk.com>
 2024-11-17 23:46:53 +01:00
Florian Roth 5d1cf4b9de Merge PR #5076 from @Neo23x0 - Fix Suspicious SYSTEM User Process Creation 
fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
 2024-11-13 23:21:16 +01:00
wieso-itzi 4f4ef7a8cc Merge PR #5042 from @wieso-itzi - Update Python PTY rules
Create Release / Create Release (push) Waiting to run
Details 
update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. 

---------

Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 12:15:00 +01:00
Arnim Rupp 243003c21a Merge PR #5068 from @ruppde - Update rules in the Antivirus category with additional strings and signature names 
update: Antivirus Hacktool Detection - Add additional hacktools signature names.
update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
update: Antivirus Ransomware Detection - Add additional ransomware signature names.
fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 11:45:07 +01:00
Koifman cfa6d8aa7d Merge PR #5064 from @Koifman - Add missing ATT&CK tag to Monero Crypto Coin Mining Pool Lookup 
chore: add missing ATT&CK tag to `Monero Crypto Coin Mining Pool Lookup`
 2024-11-04 11:32:02 +01:00
Florian Roth fe999a5e9e Merge PR #5070 from @Neo23x0 - Update .RDP File Created by Outlook Process 
update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-04 11:25:05 +01:00
Nasreddine Bencherchali e1787dad38 Merge PR #5067 from @nasbench - Add missing reference links 
chore: add missing reference links to some rules
 2024-11-01 20:52:27 +01:00
Ahmed Farouk 14ce104a16 Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue 
new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
new: Command Executed Via Run Dialog Box - Registry
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 20:45:17 +01:00
Florian Roth 0cb8d0e091 Merge PR #5063 from @Neo23x0 - Add & Update rules related to the suspicious creation of ".rdp" files 
new: .RDP File Created by Outlook Process
update: .RDP File Created By Uncommon Application - Add `olk.exe` to cover the new version of outlook 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 10:47:36 +01:00
github-actions[bot] f533350560 Merge PR #5065 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-11-01 10:21:04 +01:00
dan21san 05a496388b Merge PR #5052 from @dan21san - Update Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet 
update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives. 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-11-01 10:20:29 +01:00
Gameel Ali ad8ab49d45 Merge PR #5060 from @MalGamy12 - Update Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE 
Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\` 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-28 12:25:02 +01:00
Mohamed Ashraf 7e4748ec0e feat: update multiple rules (#5055) 
* Update multiple rules

* updates

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-25 16:32:03 +02:00
Djordje Lukic f33530e756 Merge PR #4994 from @djlukic - Multiple FP fixes 
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------
 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 23:08:50 +02:00
Arnim Rupp 7ddc551605 Merge PR #5040 from @ruppde - Update Antivirus Password Dumper Detection 
update: Antivirus Password Dumper Detection - Add `DCSync` string to cover MS Defender traffic detections
 2024-10-08 23:04:44 +02:00
Sittikorn S 86989a0464 Merge PR #5008 from @BlackB0lt - Update HackTool - Certipy Execution 
update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt' 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:37:23 +02:00
dan21san b063a9d755 Merge PR #5036 from @dan21san - Update Alternate PowerShell Hosts Pipe 
update: Alternate PowerShell Hosts Pipe - Add optional filter for `AzureConnectedMachineAgent` and update old filters to be more accurate 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:17:21 +02:00
Milad Cheraghi d270dc542c Merge PR #5039 from @CheraghiMilad - Update Local System Accounts Discovery - Linux 
update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim" 
---------

Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:09:13 +02:00
MalGamy12 f472015599 Merge PR #5037 from @MalGamy12 - Update Disable Windows Defender Functionalities Via Registry Keys 
update: Disable Windows Defender Functionalities Via Registry Keys - Remove `\Real-Time Protection\` prefix to increase coverage. 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 22:07:45 +02:00
Florian Roth a997d6282a Merge PR #5038 from @Neo23x0 - Update LSASS Process Memory Dump Files 
update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-10-08 21:57:25 +02:00