From 5bc10a4855a6c4133f1073b886b7bac843135ba7 Mon Sep 17 00:00:00 2001
From: Christophe Tafani-Dereeper <christophe@tafani-dereeper.me>
Date: Fri, 5 Jul 2019 09:01:35 +0000
Subject: [PATCH] Include Github raw URLs in suspicious downloads detection
 rule

---
 rules/windows/sysmon/sysmon_win_binary_susp_com.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml
index fc4e7daee..12f0fbc85 100644
--- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml
+++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml
@@ -18,6 +18,7 @@ detection:
         DestinationHostname: 
             - '*dl.dropboxusercontent.com'
             - '*.pastebin.com'
+            - '*.githubusercontent.com' # includes both gists and github repositories
         Image: 'C:\Windows\\*'
     condition: selection
 falsepositives: