SigmaHQ/sigma
1
0
Fork 0
mirror of https://github.com/SigmaHQ/sigma.git synced 2026-03-27 00:58:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,742 Commits 13 Branches 56 Tags
master
Commit Graph

232 Commits

Author SHA1 Message Date
phantinuss
c2ba39f94b Merge PR #5901 from @phantinuss - bump evtx-baseline version to 0.8.4 
chore: bump evtx-baseline version to 0.8.4

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-03-13 15:04:24 +01:00
github-actions[bot]
37fe8969ae Merge PR #5890 from @nasbench - chore: archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-03-02 13:42:54 +01:00
github-actions[bot]
1df103ce6d Merge PR #5852 from @nasbench - Open Archive New Rule References 
chore: archive new rule references and update cache file
-----
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2026-02-10 14:48:39 +05:45
Swachchhanda Shrawan Poudel
a4ddc7a414 Merge PR #5842 from @swachchhanda000 - chore: update thor.yml with missing file_change category 
chore: update thor.yml with missing file_change category
 2026-01-29 09:25:27 +01:00
Vladan Sekulic
092b852af3 Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets 
new: Cmd Launched with Hidden Start Flags to Suspicious Targets

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2026-01-26 20:02:52 +01:00
github-actions[bot]
e443d5cbf8 Merge PR #5839 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-01-17 13:03:58 +01:00
github-actions[bot]
8afdcc4321 Merge PR #5821 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2026-01-01 12:22:51 +01:00
phantinuss
da971a6f28 Merge PR #5809 from @phantinuss - bump evtx-baseline version to 0.8.3 
chore: bump evtx-baseline version to 0.8.3
 2025-12-21 18:02:45 +01:00
github-actions[bot]
6d581764e7 Merge PR #5806 from @nasbench - Archive New Rule References 
chore: archive new rule references and update cache file
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-12-15 16:42:14 +01:00
Swachchhanda Shrawan Poudel
c5b881019a Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules 
new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-12-10 15:29:38 +01:00
frack113
8e1b7815bb Merge PR #5784 from @frack113 - Fix setup-python version in workflows 
chore: fix setup-python version in the workflow

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <monsteroffire2@gmail.com>
 2025-12-02 11:29:54 +01:00
phantinuss
3cbce7d48c Merge PR #5776 from @phantinuss - bump validator version 0.20 
chore: bump validator version 0.20
 2025-11-26 19:07:10 +01:00
Nasreddine Bencherchali
2cb7375c6b Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links 
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data

---------

Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-11-25 16:00:53 +01:00
IntelScott
0d7658fb3a Merge PR #5717 from @tropChaud - Add and Enhance Windows Default Domain GPO & RDP Tampering Rules 
new: Windows Default Domain GPO Modification
new: Windows Default Domain GPO Modification via GPME
update: Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Add coverage for SecurityLayer value
update: RDP Sensitive Settings Changed - Add coverage for SecurityLayer value
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2025-11-23 20:36:08 +05:45
Swachchhanda Shrawan Poudel
fe509498a5 Merge PR #5760 from @swachchhanda000 - Update README and fix a typo 
chore: add Saeros project to the readme and fix a typo in the greetings file
 2025-11-17 10:44:35 +01:00
phantinuss
c2f1eb41bc Merge PR #5756 from @phantinuss - add a check for duplicate IDs over all rules that ever existed 
chore: ci: add a check for duplicate ids over all rules that ever existed
chore: change duplicate IDs in obsoleted rules
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-11-13 14:22:02 +01:00
phantinuss
6503f15149 Merge PR #5754 from @phantinuss - chore: ci: fix greeter part 2 
chore: ci: fix greeter part 2
 2025-11-12 11:59:34 +01:00
phantinuss
f804cba558 Merge PR #5753 from @phantinuss - chore: ci: fix label and greeter action 
chore: ci: fix labeler for version 6
chore: ci: fix greeter for version 3

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-11-12 11:47:14 +01:00
phantinuss
714d7b41b9 Merge PR #5750 from @phantinuss - chore: ci: bump action and validator versions 
chore: ci: bump action and validator versions
 2025-11-11 14:16:50 +01:00
Nasreddine Bencherchali
f61f66e745 Merge PR #5733 from @nasbench - fix windash issues and some renames 
fix: Office Macro File Download - Reduce level to low due to FPs spotted via VT.
fix: Suspicious CustomShellHost Execution - Increased level to high due to low FP rate spotted via VT.
fix: Explorer Process Tree Break - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: MSDT Execution Via Answer File - Rename rule as well as introduce usage of windash for increased coverage.
fix: Capture Credentials with Rpcping.exe - Fix incorrect usage of windash with the all modifier, that broke the logic.
fix: Wlrmdr.EXE Uncommon Argument Or Child Process - Fix incorrect usage of windash with the all modifier, that broke the logic.

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-11-10 12:12:34 +01:00
github-actions[bot]
25710bbb76 Merge PR #5737 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file


Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-11-02 00:10:54 +01:00
phantinuss
309bd61b42 Merge PR #5726 from @phantinuss - chore: ci: add merge_group trigger to CI jobs 
chore: ci: add merge_group trigger to CI jobs
 2025-10-27 12:58:32 +01:00
phantinuss
c8075cab6b chore: ci: bump validator version (#5722) 
chore: ci: bump validator version
chore: add missing tags

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-23 15:43:47 +02:00
phantinuss
698bf52124 Merge PR #5709 from @phantinuss - chore: ci: fix duplicate install 
chore: ci: fix duplicate install
chore: ci: run tests independent of paths
 2025-10-20 14:59:27 +02:00
phantinuss
9d91858f3e Merge PR #5701 from @phantinuss - Enhance CI Tests 
chore: ci: let yamllint fail on warnings as well
chore: fix comment whitespace
chore: ci: run single tests in their own job
 2025-10-17 13:05:57 +02:00
github-actions[bot]
b4c6facc1d Merge PR #5693 from @nasbench - chore: archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-15 09:51:23 +02:00
phantinuss
b242175fe4 Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2 
chore: update evtx baseline to v0.8.2 and fix FPs
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
 2025-10-09 13:03:39 +02:00
github-actions[bot]
019971e1c9 Merge PR #5667 from @nasbench - chore: archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-10-01 10:01:54 +02:00
github-actions[bot]
12d87e7690 Merge PR #5636 from @phantinuss - Update ATT&CK Heatmap Coverage 
* chore: update ATT&CK heatmap

* chore: update heatmap SVG

* chore: tweak output for attack map svg

---------

Co-authored-by: phantinuss <phantinuss@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-09-22 11:42:05 +02:00
github-actions[bot]
f76a82ddc9 Merge PR #5638 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-09-22 11:41:18 +02:00
github-actions[bot]
1751ef8673 Merge PR #5597 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-29 10:31:14 +02:00
phantinuss
4f4f468c4a Merge PR #5557 from @phantinuss - Bump pySigma-validators-sigmahq to 0.10 
chore: bump pySigma-validators-sigmahq to 0.10
 2025-08-14 14:29:11 +02:00
github-actions[bot]
f9d2a493f9 Merge PR #5573 from @nasbench - Archive new rule references and update cache file 
chore: archive new rule references and update cache file

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-08-14 14:06:15 +02:00
github-actions[bot]
43304188c2 chore: archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-15 11:38:58 +02:00
github-actions[bot]
ff2c7bf284 Merge PR #5507 from @nasbench - archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-07-01 10:53:58 +02:00
github-actions[bot]
be3f2bc7bd Merge PR #5505 from @phantinuss - Update ATT&CK Heatmap Coverage 
chore: update ATT&CK heatmap
chore: add updated ATT&CK coverage image
chore: point heatmap link to master

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-07-01 10:48:15 +02:00
Cameron Roberts
bdba8881c8 Merge PR #5213 from @JrOrOneEquals1 - Workflow to update ATT%CK heatmap json 
chore: workflow - auto-update ATT&CK heatmap
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-24 13:16:34 +02:00
github-actions[bot]
df556b9675 Merge PR #5480 from @phantinuss - Archive new rule references and update cache file 
chore: archive new rule references and update cache file
 2025-06-16 12:55:39 +02:00
Ariel Otilibili
a1c9827a35 Merge PR #5402 from @ariel-anieli - feat: add JSON output format for deprecated rule summary 
chore: tests/deprecated_rules.py - add json output format
chore: add deprecated/deprecated.json
chore: update README and workflow job accordingly

---------

Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2025-06-13 10:59:34 +02:00
phantinuss
dbf8921652 chore: fix typo as suggested in #5472 2025-06-12 12:41:09 +02:00
phantinuss
a38664c771 Merge PR #5443 from @phantinuss - Pin Sigma Validator package to minor version only 
chore: Pin Sigma Validator package to minor version only
 2025-06-04 14:58:58 +02:00
github-actions[bot]
f3948c7bdf Merge PR #5449 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-06-02 13:29:26 +02:00
phantinuss
8259948a3f Merge PR #5421 from @phantinuss - Update evtx-baseline 
chore: update evtx-baseline
 2025-05-20 23:15:57 +02:00
github-actions[bot]
e9aa3eb2b3 Merge PR #5398 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-05-20 23:03:44 +02:00
phantinuss
19568ae667 chore: update pySigma validators 2025-05-08 11:00:04 +02:00
phantinuss
58cb9a11e3 chore: add tests/sigma_cli_conf.yml to tracked files 2025-05-05 10:17:15 +02:00
phantinuss
f47604b735 chore: update pySigma validators 2025-04-30 11:31:22 +02:00
github-actions[bot]
36394d43a0 Merge PR #5250 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-04-17 00:41:06 +02:00
github-actions[bot]
4a3cb8b774 Merge PR #5230 from @nasbench - Archive new rule references and update cache file 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2025-03-16 03:08:28 +01:00
frack113
3ce034bb20 Merge PR #4858 from @frack113 - Add summary csv file, workflow and generation script for deprecated rules 
chore: add summary csv file, workflow and generation script for deprecated rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
 2025-03-05 00:59:36 +01:00