8315489a07
Merge PR #5828 from @Zirbo - Update Shell Invocation via Env Command - Linux
...
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2026-04-28 00:31:41 +02:00
c801be9f3d
Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution
...
new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux
---------
Co-authored-by: Hugh <HueCodes@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-04-23 14:37:28 +02:00
3fe2695635
Merge PR #5921 from @Axel-NTT - Update BPFDoor Abnormal Process ID or Lock File Accessed
...
update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
2026-04-01 13:16:52 +02:00
56a58e1ee6
Merge PR #5772 from @swachchhanda000 - Add Shai-Hulud: The Second Coming Rules
...
update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
new: Shai-Hulud Malware Indicators - Linux
new: Shai-Hulud Malicious Bun Execution - Linux
new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
new: Shai-Hulud Malware Indicators - Windows
new: Shai-Hulud Malicious Bun Execution
new: Shai-Hulud 2.0 Malicious NPM Package Installation
new: Script Interpreter Spawning Credential Scanner - Linux
new: Script Interpreter Spawning Credential Scanner - Windows
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2026-03-29 14:58:59 +02:00
076da17939
Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules
...
new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2026-01-24 11:51:42 +01:00
6fe7343bf7
Merge PR #5822 from @EzLucky - fix: spelling errors in description and filename
...
update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
chore: Local System Accounts Discovery - Linux - fix small typo on 'system' word in description
2026-01-05 13:01:17 +05:45
5656c48a97
Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field
...
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
2025-12-08 16:03:55 +01:00
5f57f9e816
Merge PR #5766 from @SethHanford - Update Potential Container Discovery Via Inodes Listing
...
update: Potential Container Discovery Via Inodes Listing - replace contains globbing with more correct patterns using regex
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-11-25 16:29:32 +01:00
66e091c08c
Merge PR #5770 from @EzLucky - Update MITRE Attack mapping for Linux Capabilities Discovery
...
chore: update mitre att&ck tag
---------
Co-authored-by: nasbench <monsteroffire2@gmail.com >
2025-11-25 16:23:51 +01:00
2cb7375c6b
Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links
...
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-11-25 16:00:53 +01:00
5a2885c310
Merge PR #5627 from @tsale - Filename with Embedded Base64 Commands
...
new: Suspicious Filename with Embedded Base64 Commands
new: Potentially Suspicious Long Filename Pattern - Linux
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2025-11-24 15:33:42 +01:00
9d58e38bbc
Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field
...
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
2025-11-24 09:54:29 +01:00
c6fcff5cff
Merge PR #5740 from @swachchhanda000 - chore: reorganize threat specific rules into rules-emerging-threats directory
...
chore: reorganize threat specific rules into rules-emerging-threats directory
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-11-10 12:00:08 +01:00
2d32b91bce
Merge PR #5661 from @CheraghiMilad - Update ASLR Disabled Via Sysctl or Direct Syscall
...
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-10-29 01:43:27 +01:00
e40fc91954
Merge PR #5600 from @vl43den - Add Syslog Clearing or Removal Via System Utilities
...
new: Syslog Clearing or Removal Via System Utilities
---------
Co-authored-by: Nasreddine Bencherchali
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 22:49:32 +01:00
d0c23170de
Merge PR #5079 from @mlakri - Add 2 new linux rules
...
new: Audit Rules Deleted Via Auditctl
new: Python WebServer Execution - Linux
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-28 22:45:53 +01:00
875dee72f4
Merge PR #5634 from @CheraghiMilad - Add Kaspersky Endpoint Security Stopped Via CommandLine - Linux
...
new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-10-28 22:34:26 +01:00
c8075cab6b
chore: ci: bump validator version ( #5722 )
...
chore: ci: bump validator version
chore: add missing tags
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-23 15:43:47 +02:00
f69ac5c345
Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules
...
chore: add missing MITRE tactics for 2 rules
2025-10-21 20:17:56 +02:00
ac1137183f
Merge PR #5090 from @CheraghiMilad - add rule for impair system power settings
...
new: Mask System Power Settings Via Systemctl
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-10-20 08:24:44 +05:45
208fee50a0
Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack
...
new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
2025-10-19 07:28:08 +05:45
f4e9d5f3c4
Merge PR #5671 from @swachchhanda000 - feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability
...
new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Linux Sudo Chroot Execution
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-19 07:21:26 +05:45
de97c83224
Merge PR #5533 from @swachchhanda000 - fix: github reported issues
...
new: AWS IAM user with Console Access Login Without MFA (#5074 )
new: Suspicious BitLocker Access Agent Update Utility Execution (#5502 )
new: BaaUpdate.exe Suspicious DLL Load
update: Suspicious C2 Activities - update definition (#5142 )
fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171 )
fix: WannaCry Ransomware Activity - remove generic indicators (#5131 )
fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529 )
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-18 07:07:22 +05:45
84425b8889
Merge PR #5677 from @vl43den - Modify System Firewall - add nftables delete/flush
...
update: Modify System Firewall - add nftables delete/flush
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-17 11:56:55 +02:00
15b9599eb0
Change alert level from high to medium
2025-08-29 10:34:46 +02:00
4ba778f030
fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder
2025-08-08 15:01:07 +05:45
4316ad64da
Merge PR #5506 from @nasbench -promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-07-01 10:34:38 +02:00
8fd6a5167d
Merge PR #5489 from @hashdr1ft - Suspicious Download and Execute Pattern via Curl/Wget
...
new: Suspicious Download and Execute Pattern via Curl/Wget
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-25 12:48:57 +02:00
0304ffbbd6
Merge PR #5050 from @wieso-itzi - detect vacuuming of journald for log clearing
...
update: Commands to Clear or Remove the Syslog - detect journald vacuuming
---------
Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-06-24 13:29:27 +02:00
39537caa0d
Merge PR #5486 from @phantinuss - fix: reduce FP matching with regex pattern
...
fix: Hidden Files and Directories - reduce FP matching with regex pattern
2025-06-24 10:35:56 +02:00
dfed136f16
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
...
chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
ff60fa5f91
Merge PR #5444 from @CheraghiMilad - Discovery System Info via Sysinfo Syscall
...
new: System Info Discovery via Sysinfo Syscall
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:53:57 +02:00
4c8e709469
Merge PR #5446 from @CheraghiMilad - Special File Creation via Mknod Syscall
...
new: Special File Creation via Mknod Syscall
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:27:24 +02:00
298e18c9c2
Merge PR #5467 from @phantinuss - use syscall names instead of ids
...
the integration pipeline or the rule consumer has to take care of the mapping
update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
2025-06-05 13:25:58 +02:00
0f4572c9ac
Merge PR #5459 from @CheraghiMilad - add execveat and match on euid instead of key
...
update: Webshell Remote Command Execution - add execveat and match on euid instead of key
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:22:24 +02:00
2fda33e611
Merge PR #5461 from @CheraghiMilad - add uname
...
update: System Owner or User Discovery - Linux - add uname
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:20:16 +02:00
6509b21b82
Merge PR #5462 from @CheraghiMilad - add text output tools
...
update: Local Groups Discovery - Linux - add text output tools
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-05 13:19:27 +02:00
0627225cab
Merge PR #5463 from @CheraghiMilad - add more text output tools ( #5463 )
...
update: Access of Sudoers File Content - add more tools
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-05 13:19:04 +02:00
3eaaa050b7
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
...
chore: update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00
74fc1c74ec
Merge PR #5451 from @frack113 - chore: cleanup metadata
...
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
2025-06-04 13:33:36 +02:00
ad1bfd3d28
Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs
...
new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-31 14:24:43 +02:00
a5e070fc9d
Merge PR #5441 from @CheraghiMilad - chore: update reference
...
chore: Disable ASLR Via Personality Syscall - Linux - update reference for PoC
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-05-31 14:08:26 +02:00
5a1e44c525
Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key
...
new: Potential Abuse of Linux Magic System Request Key
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-31 13:12:25 +02:00
9ebd94a00a
Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux
...
new: Disable ASLR Via Personality Syscall - Linux
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-05-28 13:29:58 +02:00
304b019212
Merge PR #5385 from @CheraghiMilad - Added new tool for recording audio - ecasound
...
Create Release / Create Release (push) Has been cancelled
update: Audio Capture - add ecasound detection
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-21 09:10:51 +02:00
b0481bea13
Merge PR #5393 from @Koifman - Update VMware rules for MITREv17
...
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17
---------
Co-authored-by: Koifman <primeless42@gmail.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-05-21 08:39:49 +02:00
6fe3ac8a02
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:09:50 +02:00
efcfe43fae
Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:09:23 +02:00
f255ba29e6
Merge PR #5390 from @david-syk - Update MITRE ATT&CK tags
...
chore: update the tags of multiple rules
2025-05-20 23:08:57 +02:00
350fec2f51
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-05-20 22:58:46 +02:00
Zirbo