Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10

chore: bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
parent 631a23d33c
commit 4f4f468c4a
16 changed files with 14 additions and 16 deletions
@@ -79,7 +79,7 @@ jobs:
      run: |
        pip install pysigma
        pip install sigma-cli
-        pip install pySigma-validators-sigmahq==0.9.*
+        pip install pySigma-validators-sigmahq==0.10.*
    - name: Test Sigma Rule Syntax
      run: |
        sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*
@@ -5,7 +5,7 @@ description: Detects a file or folder's permissions being modified or tampered w
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
-    - https://github.com/swagkarna/Defeat-Defender-V1.2.0
+    - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019-10-23
 modified: 2023-11-21
@@ -21,7 +21,6 @@ logsource:
    category: registry_set
 detection:
    selection_key:
-        EventType: SetValue
        TargetObject|contains: '\Shell\Open\Command'
    selection_value_img:
        Details|contains:
@@ -7,7 +7,7 @@ status: experimental
 description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
 references:
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
-    - https://github.com/c3c/ADExplorerSnapshot.py
+    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
@@ -3,13 +3,13 @@ id: afd12fed-b0ec-45c9-a13d-aa86625dac81
 status: test
 description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
 references:
-    - https://attack.mitre.org/datasources/DS0005/
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022-01-12
 tags:
    - attack.credential-access
    - attack.t1003.003
+    - attack.ds0005
 logsource:
    product: windows
    category: ps_script
@@ -5,7 +5,7 @@ description: |
    Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
 references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
-    - https://github.com/swagkarna/Defeat-Defender-V1.2.0
+    - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
    - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
    - https://tria.ge/241231-j9yatstqbm/behavioral1
 author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
@@ -8,7 +8,7 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho
 references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
-    - https://github.com/c3c/ADExplorerSnapshot.py
+    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
@@ -8,7 +8,7 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho
 references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
-    - https://github.com/c3c/ADExplorerSnapshot.py
+    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
@@ -1,4 +1,4 @@
-title: Detect Virtualbox Driver Installation OR Starting Of VMs
+title: Virtualbox Driver Installation or Starting of VMs
 id: bab049ca-7471-4828-9024-38279a4c04da
 status: test
 description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
@@ -7,7 +7,7 @@ references:
    - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
 author: Janantha Marasinghe
 date: 2020-09-26
-modified: 2022-07-14
+modified: 2025-07-29
 tags:
    - attack.defense-evasion
    - attack.t1564.006
@@ -14,7 +14,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
    condition: selection
 falsepositives:
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '4' # WMI
    condition: selection
@@ -17,7 +17,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: SetValue
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '6' # WMI
    condition: selection
@@ -18,7 +18,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: 'SetValue'
        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
    condition: selection
 falsepositives:
@@ -21,7 +21,6 @@ logsource:
    product: windows
 detection:
    selection:
-        EventType: 'SetValue'
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
        Details: 'DWORD (0x00000000)'
    condition: selection
@@ -20,7 +20,6 @@ logsource:
    product: windows
 detection:
    selection_main:
-        EventType: 'SetValue'
        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
    selection_susp_paths:
        Image|contains:
@@ -65,3 +65,8 @@ exclusions:
    7dc2dedd-7603-461a-bc13-15803d132355: sigmahq_category_windows_provider_name
    # SigmahqInvalidHashKvIssue
    b69888d4-380c-45ce-9cf9-d9ce46e67821: sigmahq_invalid_hash_kv
+    # SigmahqRedundantFieldIssue
+    0f06a3a5-6a09-413f-8743-e6cf35561297: sigmahq_redundant_field
+    f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7: sigmahq_redundant_field
+    # InvalidATTACKTagIssue remove after pySigma 1.0.0 release
+    afd12fed-b0ec-45c9-a13d-aa86625dac81: attacktag