From da8d42fa2bb95489c24a1e4fc0addb1028afe96c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 23 Aug 2023 14:18:49 +0200 Subject: [PATCH] Merge pull request #4385 from @phantinuss - Update Workflow Pipeline - fix: Devil Bait Potential C2 Communication Traffic - chore: update workflow to run on all rules - chore: unpin the sigma-cli version from the workflow --- .github/workflows/sigma-test.yml | 5 +++-- .../Devil-Bait/proxy_malware_devil_bait_c2_communication.yml | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 413475c81..b73ecc2ca 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -52,10 +52,11 @@ jobs: python-version: 3.11 - name: Install dependencies run: | - pip install sigma-cli~=0.7.1 + # pip install sigma-cli~=0.7.1 + pip install sigma-cli - name: Test Sigma Rule Syntax run: | - sigma check rules + sigma check rules* - name: Test Sigma Rules run: | pip install PyYAML attackcti colorama diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml index 4433aeef8..fcffda7b3 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml @@ -6,6 +6,7 @@ references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 +modified: 2023/08/23 tags: - attack.command_and_control - detection.emerging_threats @@ -14,7 +15,7 @@ logsource: detection: selection: cs-method: 'GET' - cs-uri|all: + cs-uri|contains|all: - '/cross.php?op=' - '&dt=' - '&uid='