diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index d9128e7659d..f9e95e5f2df 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -8,7 +8,7 @@ Thanks for your contribution. Please make sure to fill the contents of this temp <!-- **Please note that this section is required and must be filled** -A short summary of your pull request. +A short summary of your pull request. --> ### Changelog @@ -19,6 +19,7 @@ You need to add one line for every changed file of the PR and prefix one of the new: <title> update: <title> - <optional comment> fix: <title> - <optional comment> +remove: <title> - <optional comment> chore: for non-detection related changes (e.g. dates/titles) and changes on workflow e.g. @@ -26,6 +27,7 @@ new: Brute-Force Attacks on Azure Admin Account update: Suspicious Microsoft Office Child Process - add MSPUB.EXE fix: Malware User Agent - remove legitimate Firefox UA chore: workflow - update checkout version +remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2 --> ### Example Log Event diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28363258c91..f5fa8ac7fc1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,10 +24,13 @@ jobs: git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt + if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort | sed -e 's%^% - %' >> changes.txt if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt + git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*" | sort -u >> authors_raw.txt LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt cat changes.txt >> changelog.txt echo "" >> changelog.txt diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index c50ce6a06e9..effaa0152dd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -7,27 +7,27 @@ on: # yamllint disable-line rule:truthy push: branches: - "*" - # paths: - # - "deprecated/**.yml" - # - "rules-compliance/**.yml" - # - "rules-dfir/**.yml" - # - "rules-emerging-threats/**.yml" - # - "rules-placeholder/**.yml" - # - "rules-threat-hunting/**.yml" - # - "rules/**.yml" - # - "unsupported/**.yml" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" pull_request: branches: - master - # paths: - # - "deprecated/**.yml" - # - "rules-compliance/**.yml" - # - "rules-dfir/**.yml" - # - "rules-emerging-threats/**.yml" - # - "rules-placeholder/**.yml" - # - "rules-threat-hunting/**.yml" - # - "rules/**.yml" - # - "unsupported/**.yml" + paths: + - "deprecated/**.yml" + - "rules-compliance/**.yml" + - "rules-dfir/**.yml" + - "rules-emerging-threats/**.yml" + - "rules-placeholder/**.yml" + - "rules-threat-hunting/**.yml" + - "rules/**.yml" + - "unsupported/**.yml" # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index ef78547f4a7..4c1d07befef 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2023/10/11 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -51,9 +51,6 @@ detection: - 'C:\Windows\Installer\MSI' - '.tmp' - 'zzzzInvokeManagedCustomActionOutOfProc' - CommandLine|contains: - - 'Avira.OE.Setup' - - 'FindOldJetBrainsProduct' condition: selection and not 1 of filter_* fields: - Image