Skip to content

Some BlueHammer detections#4037

Merged
nasbench merged 16 commits into
developfrom
bluehammer_redsun
Jun 15, 2026
Merged

Some BlueHammer detections#4037
nasbench merged 16 commits into
developfrom
bluehammer_redsun

Conversation

@RavenTait

@RavenTait RavenTait commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Contains detections and stories around BlueHammer and RedSun as well as a new data source for Windows 4723

Detections:

  • Windows Admin Password Changed by Non-Admin
  • Windows MsMpEng Writing to System32
  • Windows Non-System Process Querying Definition Update
  • Windows Suspicious Burst of Password Changes
  • Windows Suspicious Defender Engine or Signature Files Created
  • Windows Suspicious Defender Update Activity in INetCache

Stories:

  • BlueHammer
  • RedSun

patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml Outdated
@patel-bhavin patel-bhavin added this to the v6.1.0 milestone May 14, 2026
patel-bhavin
patel-bhavin reviewed May 14, 2026
View reviewed changes
Comment thread detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml Outdated
nasbench
nasbench requested changes Jun 4, 2026
View reviewed changes

@nasbench nasbench left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are using the old format, can we please migrate them to the new one.

@github-actions github-actions Bot removed the Lookups label Jun 4, 2026
@nasbench

nasbench commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Reviewing this and will try to get an approval on Monday to get this into 6.1 (bare with me)

@nasbench nasbench self-assigned this Jun 14, 2026
@nasbench nasbench self-requested a review June 14, 2026 22:47
nasbench
nasbench previously approved these changes Jun 15, 2026
View reviewed changes

@nasbench nasbench left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Made some metadata updates

@nasbench nasbench requested a review from patel-bhavin June 15, 2026 12:15
patel-bhavin
patel-bhavin previously approved these changes Jun 15, 2026
View reviewed changes
@patel-bhavin

patel-bhavin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@RavenTait - not sure why one of this detection is failing :
image

Can you have a look?

@nasbench nasbench dismissed stale reviews from patel-bhavin and themself via f60a0be June 15, 2026 14:19
@nasbench

nasbench commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@RavenTait - not sure why one of this detection is failing : image

Can you have a look?

Should be fixed now. I forgot to add wildcards when fixing the paths

@nasbench nasbench requested a review from patel-bhavin June 15, 2026 14:21
@nasbench nasbench merged commit fad1a59 into develop Jun 15, 2026
6 checks passed
@nasbench nasbench deleted the bluehammer_redsun branch June 15, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

Assignees

@nasbench nasbench

Labels

Datasource Detections Stories

Projects

None yet

Milestone

v6.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@RavenTait @nasbench @patel-bhavin