987a733adc
Merge PR #4614 from @X-Junior - updates for multiple rules 4-12-2023
...
update: PowerShell Execution With Potential Decryption Capabilities
update: Malware User Agent
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-12-11 10:42:44 +01:00
f5553c037a
Merge PR #4552 from @ThureinOo - Add Detection of CVE-2023-46747 Remote Code Execution
...
new: CVE-2023-46747 Exploitation Activity - Proxy
new: CVE-2023-46747 Exploitation Activity - Webserver
new: F5 BIG-IP iControl Rest API Command Execution - Proxy
new: F5 BIG-IP iControl Rest API Command Execution - Webserver
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-11-14 09:41:49 +01:00
099d435adc
Merge PR #4565 from @CrimpSec - Add UA related to PlugX backdoor
...
update: APT User Agent - adding user agent associated with PlugX backdoor.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-11-13 11:43:55 +01:00
e873392366
Merge PR #4522 from @X-Junior - updating multiple rules
...
Create Release / Create Release (push) Has been cancelled
update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
update: Malware User Agent - add new user agents
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-11-06 17:07:33 +01:00
cc3011b814
Merge PR #4543 from @X-Junior - Add & Update Multiple Rules
...
new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
update: Weak or Abused Passwords In CLI - Increase coverage
update: Malware User Agent - Increase UAs coverage
update: Potentially Suspicious Cabinet File Expansion - Increase coverage
update: HackTool - CrackMapExec - Fix logic
update: Port Forwarding Activity Via SSH.EXE - Increase coverage
update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-11-06 14:13:31 +01:00
a6e7cce606
Merge PR #4533 from @nasbench - Promote experimental rules
...
chore: promote older rules status from `experimental` to `test`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-11-02 10:48:45 +01:00
95793d73bd
Merge PR #4482 From @nasbench - Add New Automation Workflows
...
chore: update workflows and add quality of life updates and automation to the repository
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-10-18 11:53:44 +02:00
020fc8061f
Merge PR #4479 From @frack113 - Upgrade Rules Status
...
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-10-17 14:35:26 +02:00
188236a4eb
Merge PR #4393 from @phantinuss - use explicit CIDR notation for loopback
...
fix: Search-ms and WebDAV Suspicious Indicators in URL - use explicit CIDR notation for loopback
2023-08-25 10:29:04 +02:00
f9893202e5
fix: IPv6 prefix
2023-08-22 13:17:40 +02:00
24e7333f15
fix: typo
2023-08-22 11:43:04 +02:00
89c6ea2ef0
Update rules/web/proxy_generic/proxy_webdav_search_ms.yml
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-08-22 11:42:08 +02:00
201066947b
feat: update detection & metadata
2023-08-22 11:00:55 +02:00
8d16ed2cc2
Added search(-ms)/WebDAV rules
2023-08-04 17:37:54 -07:00
f083be8458
Fixed typo in comment
...
DragonOK and not dargonOK :)
2023-07-17 14:39:48 -04:00
066f57abb8
chore: update rules from r-dns to cs-host
2023-05-18 23:03:23 +02:00
c1ba6e1505
Update proxy_ua_bitsadmin_susp_tld.yml to use proxy field
2023-05-17 13:46:28 +02:00
bbf1e54510
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-05-09 16:04:24 +02:00
24ed6be065
feat: updates and new rules related to fin7
2023-05-05 01:26:06 +02:00
0c23616a12
fix: move to deprecated
2023-04-21 15:05:56 +02:00
b26f9a9793
chore: move more rules
2023-04-21 15:01:48 +02:00
b851734126
chore: move 3cx related rules
2023-04-21 15:00:35 +02:00
4ce1bf45b6
feat: update malware ua
2023-04-12 16:12:11 +02:00
5138fef3e5
feat: update 3cx compromise related rules ( #4156 )
2023-03-31 15:01:41 +02:00
b2e9b47e91
feat: add new domain to rules related to 3CX compromise ( #4154 )
2023-03-30 13:18:11 +02:00
c08a50758b
feat: update
2023-03-29 18:59:24 +02:00
dc83671da0
Update proxy_ua_malware.yml
2023-03-27 13:13:16 +02:00
e868b66592
Update proxy_ua_malware.yml
2023-03-27 11:10:14 +02:00
ec892dec93
feat: new rule proxy_susp_ipfs_cred_harvest.yml ( #4113 )
2023-03-24 12:29:25 +01:00
eb5d96f270
fix: update modified
2023-03-20 16:44:29 +01:00
87404ea1e1
Update proxy_ua_malware.yml
2023-03-20 17:41:13 +02:00
078e3ab500
feat: updates and fixes
2023-02-23 12:49:44 +01:00
7c38a5c496
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
8b321ba0b2
Order root rules folder
2023-01-31 14:05:08 +01:00
Mohamed Ashraf