6d581764e7
Merge PR #5806 from @nasbench - Archive New Rule References
...
chore: archive new rule references and update cache file
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-12-15 16:42:14 +01:00
6af6ad8ef7
Merge PR #5803 from @swachchhanda000 - chore: ci: regression test id consistency check
...
chore: ci: regression test id consistency check
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-12-10 09:57:22 +01:00
5656c48a97
Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field
...
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
2025-12-08 16:03:55 +01:00
3e9318e23f
Merge PR #5763 from @swachchhanda000 - Update ClickFix/FileFix related rules
...
removed: FileFix - Suspicious Child Process from Browser File Upload Abuse - Deprecated in favor of b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
new: DNS Query by Finger Utility
new: Network Connection Initiated via Finger.EXE
fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
new: Suspicious FileFix Execution Pattern
update: FileFix - Command Evidence in TypedPaths - Added more markers
update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
chore: Update "test_rules.py" filename test with better output formatting
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: nasbench <monsteroffire2@gmail.com >
2025-11-27 23:00:25 +01:00
2cb7375c6b
Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links
...
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-11-25 16:00:53 +01:00
64ba98e044
Merge PR #5662 from @swachchhanda000 - Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362)
...
new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com .>
2025-11-21 13:06:30 +05:45
25710bbb76
Merge PR #5737 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-11-02 00:10:54 +01:00
4dfbd6b713
Merge PR #5197 from @inthecyber - Add new Fortinet Fortigate rules
...
new: FortiGate - New Administrator Account Created
new: FortiGate - Firewall Address Object Added
new: FortiGate - New Firewall Policy Added
new: FortiGate - New Local User Created
new: FortiGate - New VPN SSL Web Portal Added
new: FortiGate - User Group Modified
new: FortiGate - VPN SSL Settings Modified
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Tommaso Tosi <tommaso.tosi@inthecyber.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2025-11-02 00:06:27 +01:00
a77d3bae4b
Merge PR #5708 from @nasbench - Multiple updates and issue fixes
...
Goodlog Tests / check-baseline-win7 (push) Has been cancelled
Goodlog Tests / check-baseline-win10 (push) Has been cancelled
Goodlog Tests / check-baseline-win11 (push) Has been cancelled
Goodlog Tests / check-baseline-win11-2023 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-domain-controller (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
Sigma Rule Tests / yamllint (push) Has been cancelled
Validate Sigma rules / sigma-rules-validator (push) Has been cancelled
Sigma Rule Tests / test-sigma-logsource (push) Has been cancelled
Sigma Rule Tests / test-sigma-legacy (push) Has been cancelled
Sigma Rule Tests / sigma-check (push) Has been cancelled
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script
---------
Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-29 11:45:19 +01:00
c470105fbf
Merge PR #5686 from @mm-abdelghani - Unsigned or Unencrypted SMB Connection to Share Established
...
new: Unsigned or Unencrypted SMB Connection to Share Established
---------
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-10-23 13:43:15 +02:00
d36fc36e08
Merge PR #5660 from @swachchhanda000 - feat: add rule to detect deletion of RunMRU registry key
...
new: RunMRU Registry Key Deletion
new: RunMRU Registry Key Deletion - Registry
---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com >
2025-10-22 18:31:35 +05:45
c2d9e95e83
Merge PR #5532 from @swachchhanda000 - fix: refine detections and filters; update Account Tampering with SubStatus field
...
fix: SMB Create Remote File Admin Share - filter out local IP
fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
2025-10-17 08:12:25 +05:45
b4c6facc1d
Merge PR #5693 from @nasbench - chore: archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-15 09:51:23 +02:00
019971e1c9
Merge PR #5667 from @nasbench - chore: archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-10-01 10:01:54 +02:00
35d80c39bd
Merge PR #5175 from @netgrain - Add WDAC Policy File Creation In CodeIntegrity Folder
...
new: WDAC Policy File Creation In CodeIntegrity Folder
---------
Co-authored-by: Andreas Braathen <andreasb@mnemonic.io >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com >
2025-09-22 11:48:53 +02:00
f76a82ddc9
Merge PR #5638 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-09-22 11:41:18 +02:00
1751ef8673
Merge PR #5597 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-08-29 10:31:14 +02:00
4f4f468c4a
Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10
...
chore: bump pySigma-validators-sigmahq to 0.10
2025-08-14 14:29:11 +02:00
f9d2a493f9
Merge PR #5573 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-08-14 14:06:15 +02:00
43304188c2
chore: archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-07-15 11:38:58 +02:00
ff2c7bf284
Merge PR #5507 from @nasbench - archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-07-01 10:53:58 +02:00
df556b9675
Merge PR #5480 from @phantinuss - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
2025-06-16 12:55:39 +02:00
a1c9827a35
Merge PR #5402 from @ariel-anieli - feat: add JSON output format for deprecated rule summary
...
chore: tests/deprecated_rules.py - add json output format
chore: add deprecated/deprecated.json
chore: update README and workflow job accordingly
---------
Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-13 10:59:34 +02:00
73ce21b574
Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs
...
new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:28:24 +02:00
f3948c7bdf
Merge PR #5449 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-02 13:29:26 +02:00
5f894dfa0b
Merge PR #5431 from swachchhanda000 - chore: fix broken links
...
chore: fix broken links
2025-05-26 10:21:19 +02:00
e9aa3eb2b3
Merge PR #5398 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-05-20 23:03:44 +02:00
e58ebd048f
chore: sort each block
2025-05-05 10:17:12 +02:00
9aeb2bab8a
chore: whitelist new test issues
...
the rules are all valid and have a sound detection logic
2025-05-05 10:17:02 +02:00
f47604b735
chore: update pySigma validators
2025-04-30 11:31:22 +02:00
36394d43a0
Merge PR #5250 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-04-17 00:41:06 +02:00
4a3cb8b774
Merge PR #5230 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-03-16 03:08:28 +01:00
3ce034bb20
Merge PR #4858 from @frack113 - Add summary csv file, workflow and generation script for deprecated rules
...
chore: add summary csv file, workflow and generation script for deprecated rules
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com >
2025-03-05 00:59:36 +01:00
2b421e3fd7
Merge PR #5217 from @nasbench - Archive new rule references and update cache file
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-03-05 00:23:03 +01:00
c0aa75845b
Merge PR #5194 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-02-17 12:04:58 +01:00
1d8c84387f
Merge PR #5178 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-02-03 18:22:38 +01:00
f3a3392bd2
Merge PR #5161 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-01-19 21:43:16 +01:00
952d518f66
Merge PR #5150 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-01-06 15:35:53 +01:00
0cb8e32d26
Merge PR #5130 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-16 13:42:23 +01:00
4075c508d1
Merge PR #5101 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-01 13:39:50 +01:00
d804e9cba1
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
...
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-25 09:30:14 +01:00
4ec3e69de0
Merge PR #5080 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-17 23:44:45 +01:00
04df2e483a
Merge PR #5051 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-01 10:49:49 +01:00
c70fff4b8b
Merge PR #4935 from @frack113 - Add new IIS logsource and related rules
...
chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml
new: ETW Logging/Processing Option Disabled On IIS Server
new: HTTP Logging Disabled On IIS Server
new: New Module Module Added To IIS Server
new: Previously Installed IIS Module Was Removed
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-06 22:44:05 +02:00
8ebc58cf42
Merge PR #5028 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:55:39 +02:00
23c4c0b90c
Merge PR #5009 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-09-18 23:55:08 +02:00
9eb4dea0a6
Merge PR #4992 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-09-02 10:01:12 +02:00
2851ef5d16
Merge PR #4961 from @tsale - Add multiples rules and updates
...
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 19:21:47 +02:00
8bf0ef1253
Merge PR #4970 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-08-15 11:13:47 +02:00
760597da11
Merge PR #4923 from frack113 - Update test_rules.py to remove the tests covered by pySigma-validators-sigmahq v0.7.0
...
chore: Update `test_rules.py` to remove the tests covered by `pySigma-validators-sigmahq` v0.7.0
2024-08-12 12:09:18 +02:00
github-actions[bot]