Fix remaining issues #5708
Merged
Fix remaining issues #5708
+81
−57
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Rules
Windows
rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml
Outdated
Show resolved
Hide resolved
swachchhanda000
approved these changes
Oct 20, 2025
swachchhanda000
added
2nd Review Needed
and removed
Review Needed
phantinuss
reviewed
Oct 20, 2025
Collaborator
phantinuss
left a comment
phantinuss
left a comment
There was a problem hiding this comment.
In general we are making use of "or lists" more and more. It's something we tried to prevent in the past, making use of selections instead. Is that something we still want to discourage or open it up?
My personal opinion is that I'd like to not use or lists at all but I think it's not something we specified anywhere.
rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml
Outdated
Show resolved
Hide resolved
.../TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
Outdated
Show resolved
Hide resolved
rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml
Outdated
Show resolved
Hide resolved
…in_malware_dtrack.yml Co-authored-by: phantinuss <[email protected]>
…alware_snatch_ransomware.yml Co-authored-by: phantinuss <[email protected]>
phantinuss
approved these changes
Oct 29, 2025
rules/windows/process_creation/proc_creation_win_susp_network_command.yml
Outdated
Show resolved
Hide resolved
swachchhanda000
pushed a commit
to montysecurity/sigma
that referenced
this pull request
Nov 19, 2025
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations. fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic chore: add sorting to the rule archiver script --------- Thanks: KingKDot Thanks: zambomarcell Thanks: Koifman Co-authored-by: phantinuss <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
This PR fixe some outstanding issues.
The main one was related to additional spaces added by Windows for logs presented in the general view of the event log. Since you can ingest log in that format, I fixed some rules that were easy to fix and to spot. But the general idea here is that all rules going forward that make use of spaces inside the CLI should be transformed into regex. - See #4914
Changelog
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions