Skip to content

Commit

Permalink
Merge PR #4581 from @phantinuss - Remove in changlog, additional attr…
Browse files Browse the repository at this point in the history
…ibution, workflow optimization, FP tuning

chore: run sigma rule repo tests only on specific paths
chore: add manual thanks and list removed rules in changelog
fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
  • Loading branch information
phantinuss and nasbench authored Nov 20, 2023
1 parent e506e45 commit 130227b
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 23 deletions.
4 changes: 3 additions & 1 deletion .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Thanks for your contribution. Please make sure to fill the contents of this temp

<!--
**Please note that this section is required and must be filled**
A short summary of your pull request.
A short summary of your pull request.
-->

### Changelog
Expand All @@ -19,13 +19,15 @@ You need to add one line for every changed file of the PR and prefix one of the
new: <title>
update: <title> - <optional comment>
fix: <title> - <optional comment>
remove: <title> - <optional comment>
chore: for non-detection related changes (e.g. dates/titles) and changes on workflow
e.g.
new: Brute-Force Attacks on Azure Admin Account
update: Suspicious Microsoft Office Child Process - add MSPUB.EXE
fix: Malware User Agent - remove legitimate Firefox UA
chore: workflow - update checkout version
remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2
-->

### Example Log Event
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,13 @@ jobs:
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*" | sort -u >> authors_raw.txt
LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
cat changes.txt >> changelog.txt
echo "" >> changelog.txt
Expand Down
36 changes: 18 additions & 18 deletions .github/workflows/sigma-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,27 @@ on: # yamllint disable-line rule:truthy
push:
branches:
- "*"
# paths:
# - "deprecated/**.yml"
# - "rules-compliance/**.yml"
# - "rules-dfir/**.yml"
# - "rules-emerging-threats/**.yml"
# - "rules-placeholder/**.yml"
# - "rules-threat-hunting/**.yml"
# - "rules/**.yml"
# - "unsupported/**.yml"
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"
pull_request:
branches:
- master
# paths:
# - "deprecated/**.yml"
# - "rules-compliance/**.yml"
# - "rules-dfir/**.yml"
# - "rules-emerging-threats/**.yml"
# - "rules-placeholder/**.yml"
# - "rules-threat-hunting/**.yml"
# - "rules/**.yml"
# - "unsupported/**.yml"
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"

# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
date: 2022/01/13
modified: 2023/10/11
modified: 2023/11/14
tags:
- attack.defense_evasion
- attack.t1218.011
Expand Down Expand Up @@ -51,9 +51,6 @@ detection:
- 'C:\Windows\Installer\MSI'
- '.tmp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
CommandLine|contains:
- 'Avira.OE.Setup'
- 'FindOldJetBrainsProduct'
condition: selection and not 1 of filter_*
fields:
- Image
Expand Down

0 comments on commit 130227b

Please sign in to comment.