From e70395744bcfecb1baf51c4ff0ef827a52a20f3e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 30 Aug 2018 10:08:01 +0200
Subject: [PATCH] Rule: Improved Github communication rule

---
 rules/windows/sysmon/sysmon_win_binary_github_com.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml
index dd8af4d8d..50cc23973 100644
--- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml
+++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml
@@ -3,6 +3,7 @@ status: experimental
 description: Detects an executable in the Windows folder accessing github.com
 references:
     - https://twitter.com/M_haggis/status/900741347035889665
+    - https://twitter.com/M_haggis/status/1032799638213066752
 author: Michael Haag (idea), Florian Roth (rule)
 logsource:
     product: windows
@@ -10,7 +11,9 @@ logsource:
 detection:
     selection:
         EventID: 3
-        DestinationHostname: '*.github.com'
+        DestinationHostname: 
+            - '*.github.com'
+            - '*.githubusercontent.com'
         Image: 'C:\Windows\*'
     condition: selection
 falsepositives: