{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":77276660,"defaultBranch":"master","name":"sigma","ownerLogin":"SigmaHQ","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2016-12-24T09:48:49.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/79842123?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1714408894.0","currentOid":""},"activityList":{"items":[{"before":"45b93fcfabe6e10a03773fbc73d1ed5b7a4a2d92","after":"f7ec5337049a1261116f6d5b09f32984b3809429","ref":"refs/heads/master","pushedAt":"2024-05-02T08:34:25.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4841 from @nasbench - Promote older rules status from `experimental` to `test`\n\nchore: promote older rules status from \"experimental\" to \"test\"","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2272697057\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4841\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4841/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4841\">#4841</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - Promote older rules status from `expe…"}},{"before":"39db80478e36599be3b25d9cdbd2c168815c4ea3","after":"45b93fcfabe6e10a03773fbc73d1ed5b7a4a2d92","ref":"refs/heads/master","pushedAt":"2024-05-02T08:33:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4842 from @nasbench - Archive new rule references and update cache file\n\nchore: archive new rule references and update cache file","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2272780559\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4842\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4842/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4842\">#4842</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - Archive new rule references and updat…"}},{"before":"711264591b59bf5151bb221c41bbc6b632857fdd","after":"e6d00ab92d75c7a5902d6ad7a2b1e6ed3de03f3c","ref":"refs/heads/create-pull-request/reference-archiver","pushedAt":"2024-05-01T01:51:03.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"github-actions[bot]","name":null,"path":"/apps/github-actions","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/15368?s=80&v=4"},"commit":{"message":"chore: archive new rule references and update cache file","shortMessageHtmlLink":"chore: archive new rule references and update cache file"}},{"before":"f165ff074a868fa210a3a7f7f5e6fde93c5dfb6b","after":"5c56c7777aeeaab35061b1d81c7508a3874e2d84","ref":"refs/heads/create-pull-request/rule-promotion","pushedAt":"2024-05-01T00:18:42.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"github-actions[bot]","name":null,"path":"/apps/github-actions","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/15368?s=80&v=4"},"commit":{"message":"chore: promote older rules status from `experimental` to `test`","shortMessageHtmlLink":"chore: promote older rules status from <code>experimental</code> to <code>test</code>"}},{"before":"6ac615397673dadfe5ae35aff79c5c9e588f5964","after":"39db80478e36599be3b25d9cdbd2c168815c4ea3","ref":"refs/heads/master","pushedAt":"2024-04-29T10:54:38.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4834 from @CertainlyP - Add `Outbound Network Connection Initiated By Microsoft Dialer`\n\nnew: Outbound Network Connection Initiated By Microsoft Dialer \r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2260833880\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4834\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4834/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4834\">#4834</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/CertainlyP/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/CertainlyP\">@CertainlyP</a> - Add `Outbound Network Connection In…"}},{"before":"481337a8c3f10e72191b477627b6e8fae2135b39","after":"6ac615397673dadfe5ae35aff79c5c9e588f5964","ref":"refs/heads/master","pushedAt":"2024-04-29T10:53:54.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4836 from @jamesc-grafana - Update AWS Rule to use fieldref modifier instead of contains\n\nupdate: AWS User Login Profile Was Modified - use fieldref instead of contains modifier\r\n \r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2263226625\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4836\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4836/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4836\">#4836</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/jamesc-grafana/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/jamesc-grafana\">@jamesc-grafana</a> - Update AWS Rule to use fieldref…"}},{"before":"f61c1f4509a127837a6e4205eb26ce1ab4f71aff","after":"481337a8c3f10e72191b477627b6e8fae2135b39","ref":"refs/heads/master","pushedAt":"2024-04-26T13:39:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4837 from @nasbench - fix fp reported in #4820 \n\nfix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out \"chrome\" and \"firefox\" processes.","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2265803084\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4837\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4837/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4837\">#4837</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - fix fp reported in <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2245688452\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4820\" data-hovercard-type=\"issue\" data-hovercard-url=\"/SigmaHQ/sigma/issues/4820/hovercard\" href=\"https://github.com/SigmaHQ/sigma/issues/4820\">#4820</a>"}},{"before":"22b3416feeb2cef891582b5e52bbc80a26b8b620","after":"f61c1f4509a127837a6e4205eb26ce1ab4f71aff","ref":"refs/heads/master","pushedAt":"2024-04-26T11:40:11.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4832 from @nasbench - Update LOLBIN rules\n\nupdate: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions\r\nupdate: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description\r\nupdate: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on \"any\" execution\r\nupdate: COM Object Execution via Xwizard.EXE - Update logic\r\nupdate: JScript Compiler Execution - Update metadata\r\nupdate: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy\r\nupdate: Potential Application Whitelisting Bypass via Dnx.EXE - Update description\r\nupdate: Potential Arbitrary Command Execution Via FTP.EXE - Use \"windash\" modifier and update description\r\nupdate: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.\r\nupdate: Renamed ZOHO Dctask64 Execution - Add additional imphash values\r\nupdate: Windows Kernel Debugger Execution - Reduce level to \"medium\"\r\nupdate: Xwizard.EXE Execution From Non-Default Location - Update description\r\n\r\n---------\r\n\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2257582129\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4832\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4832/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4832\">#4832</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - Update LOLBIN rules"}},{"before":"c31507f74ecbc9c6846ee03535839adbda92ff61","after":"22b3416feeb2cef891582b5e52bbc80a26b8b620","ref":"refs/heads/master","pushedAt":"2024-04-25T14:31:57.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4829 from @frack113 - Add `Network Connection Initiated By RegAsm.EXE`\n\nnew: Network Connection Initiated By RegAsm.EXE\r\n \r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2251176434\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4829\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4829/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4829\">#4829</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/frack113/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/frack113\">@frack113</a> - Add `Network Connection Initiated By …"}},{"before":"7a947f43f88e10ff78c0dabe516861c2b1fa1d7c","after":"c31507f74ecbc9c6846ee03535839adbda92ff61","ref":"refs/heads/master","pushedAt":"2024-04-25T13:18:58.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4824 from @dan21san - New PUA SoftPerfect\n\nnew: PUA - SoftPerfect Netscan Execution\r\n\r\n---------\r\n\r\nCo-authored-by: Degasperi <Daniel.Degasperi.ext@wuerth-phoenix.com>\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2250063860\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4824\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4824/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4824\">#4824</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/dan21san/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/dan21san\">@dan21san</a> - New PUA SoftPerfect"}},{"before":"2ef1a3b0963b51d95a2637ff2c72d9e8468067d6","after":"7a947f43f88e10ff78c0dabe516861c2b1fa1d7c","ref":"refs/heads/master","pushedAt":"2024-04-25T12:57:26.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4827 from @netgrain - New analytic for python pth files\n\nnew: Python Path Configuration File Creation - Linux\r\nnew: Python Path Configuration File Creation - Macos\r\nnew: Python Path Configuration File Creation - Windows\r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2250797950\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4827\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4827/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4827\">#4827</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/netgrain/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/netgrain\">@netgrain</a> - New analytic for python pth files"}},{"before":"b349447e7d8f85a9dae815595bbe7e9785036691","after":"2ef1a3b0963b51d95a2637ff2c72d9e8468067d6","ref":"refs/heads/master","pushedAt":"2024-04-25T12:46:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4825 from @netgrain - New analytic for CVE-2024-3400\n\nnew: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2250092754\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4825\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4825/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4825\">#4825</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/netgrain/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/netgrain\">@netgrain</a> - New analytic for <a title=\"CVE-2024-3400\" data-hovercard-type=\"advisory\" data-hovercard-url=\"/advisories/GHSA-v475-xhc9-wfxg/hovercard\" href=\"https://github.com/advisories/GHSA-v475-xhc9-wfxg\">CVE-2024-3400</a>"}},{"before":"8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a","after":"b349447e7d8f85a9dae815595bbe7e9785036691","ref":"refs/heads/master","pushedAt":"2024-04-24T12:59:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4826 from @nasbench - Add coverage for CVE-2024-3400 \n\nnew: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection\r\n\r\n---------\r\n\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2250176362\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4826\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4826/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4826\">#4826</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - Add coverage for <a title=\"CVE-2024-3400\" data-hovercard-type=\"advisory\" data-hovercard-url=\"/advisories/GHSA-v475-xhc9-wfxg/hovercard\" href=\"https://github.com/advisories/GHSA-v475-xhc9-wfxg\">CVE-2024-3400</a>"}},{"before":"e1a713d264ac072bb76b5c4e5f41315a015d3f41","after":"8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a","ref":"refs/heads/master","pushedAt":"2024-04-24T08:04:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4833 from @nasbench - New rules related to Forest Blizzard activity\n\nnew: Forest Blizzard APT - Custom Protocol Handler Creation\r\nnew: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set\r\nnew: Forest Blizzard APT - File Creation Activity\r\nnew: Forest Blizzard APT - JavaScript Constrained File Creation\r\nnew: Forest Blizzard APT - Process Creation Activity","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2258408645\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4833\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4833/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4833\">#4833</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nasbench/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nasbench\">@nasbench</a> - New rules related to Forest Blizzard …"}},{"before":"a1a3b2969266b728f8f21b22629959176334115c","after":"e1a713d264ac072bb76b5c4e5f41315a015d3f41","ref":"refs/heads/master","pushedAt":"2024-04-19T09:10:38.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4823 from @pratinavchandra - Update CLI flag for `Gatekeeper Bypass via Xattr`\n\nupdate: Gatekeeper Bypass via Xattr - Update command line flag \r\n\r\n---------\r\n\r\nCo-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2249859661\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4823\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4823/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4823\">#4823</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/pratinavchandra/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/pratinavchandra\">@pratinavchandra</a> - Update CLI flag for `Gatekeepe…"}},{"before":"2d1c55250b39a525fa043fa0e0a44d2756d17ee7","after":null,"ref":"refs/heads/dependabot/pip/aiohttp-3.9.4","pushedAt":"2024-04-18T22:03:26.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"}},{"before":null,"after":"2d1c55250b39a525fa043fa0e0a44d2756d17ee7","ref":"refs/heads/dependabot/pip/aiohttp-3.9.4","pushedAt":"2024-04-18T15:35:08.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump aiohttp from 3.9.0 to 3.9.4\n\nBumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.9.0 to 3.9.4.\n- [Release notes](https://github.com/aio-libs/aiohttp/releases)\n- [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst)\n- [Commits](https://github.com/aio-libs/aiohttp/compare/v3.9.0...v3.9.4)\n\n---\nupdated-dependencies:\n- dependency-name: aiohttp\n  dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] <support@github.com>","shortMessageHtmlLink":"build(deps-dev): bump aiohttp from 3.9.0 to 3.9.4"}},{"before":"5b4bfd6ffd9462ba6ee4d9847cc9e67757d95238","after":"a1a3b2969266b728f8f21b22629959176334115c","ref":"refs/heads/master","pushedAt":"2024-04-17T12:28:17.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4795 from @signalblur - Update `Linux Command History Tampering` rule\n\nupdate: Linux Command History Tampering - Increase coverage to include other history files \r\n\r\n---------\r\n\r\nCo-authored-by: frack113 <62423083+frack113@users.noreply.github.com>\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2218994896\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4795\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4795/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4795\">#4795</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/signalblur/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/signalblur\">@signalblur</a> - Update `Linux Command History Tampe…"}},{"before":"86ca651ea6914fc3d5d21a4e28fc7b8c5edd57e2","after":"5b4bfd6ffd9462ba6ee4d9847cc9e67757d95238","ref":"refs/heads/master","pushedAt":"2024-04-17T10:28:38.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4814 from @nikitah4x - Add new rule to detect MFA bypass in Cisco Duo\n\nnew: Cisco Duo Successful MFA Authentication Via Bypass Code\r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2242066070\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4814\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4814/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4814\">#4814</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/nikitah4x/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/nikitah4x\">@nikitah4x</a> - Add new rule to detect MFA bypass in…"}},{"before":"4dc77dc1754535c4370b244b6d6e2bbf12322956","after":"86ca651ea6914fc3d5d21a4e28fc7b8c5edd57e2","ref":"refs/heads/master","pushedAt":"2024-04-16T12:36:41.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4801 from @signalblur - Add Pnscan rule\n\nnew: Pnscan Binary Data Transmission Activity \r\n\r\n---------\r\n\r\nCo-authored-by: frack113 <62423083+frack113@users.noreply.github.com>\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2224006113\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4801\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4801/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4801\">#4801</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/signalblur/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/signalblur\">@signalblur</a> - Add Pnscan rule"}},{"before":"1a85bc5b5a88253a35e63e23cf603090d93d59c4","after":"4dc77dc1754535c4370b244b6d6e2bbf12322956","ref":"refs/heads/master","pushedAt":"2024-04-16T10:57:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4819 from @fukusuket - Fix regex escape\n\nfix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2244810054\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4819\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4819/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4819\">#4819</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/fukusuket/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/fukusuket\">@fukusuket</a> - Fix regex escape"}},{"before":"ae49e3a46599e6838ff79e04a4d9bb586620f9ca","after":"1a85bc5b5a88253a35e63e23cf603090d93d59c4","ref":"refs/heads/master","pushedAt":"2024-04-15T15:01:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4799 from @fukusuket - Fix typo in selection name\n\nchore: fix typo in selection name","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2222808926\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4799\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4799/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4799\">#4799</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/fukusuket/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/fukusuket\">@fukusuket</a> - Fix typo in selection name"}},{"before":"9e6952ec6a2ef6f5cbfc3291c9ac8fb86418a44e","after":"ae49e3a46599e6838ff79e04a4d9bb586620f9ca","ref":"refs/heads/master","pushedAt":"2024-04-15T15:00:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4787 from @ya0guang - Fix typo in `test_logsource.py`\n\nchore: fix typo in `test_logsource.py`","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2212257489\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4787\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4787/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4787\">#4787</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/ya0guang/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/ya0guang\">@ya0guang</a> - Fix typo in <code>test_logsource.py</code>"}},{"before":"a235795ddd0b73be397f02d608143c477b7dcf8d","after":"9e6952ec6a2ef6f5cbfc3291c9ac8fb86418a44e","ref":"refs/heads/master","pushedAt":"2024-04-15T14:58:02.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4789 from @ya0guang - Fix typo in `test_rules.py`\n\nchore: fix typo in `test_rules.py` condition","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2214045928\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4789\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4789/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4789\">#4789</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/ya0guang/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/ya0guang\">@ya0guang</a> - Fix typo in <code>test_rules.py</code>"}},{"before":"8c46c94a609dc064920de760eefaa901e573f1a8","after":"a235795ddd0b73be397f02d608143c477b7dcf8d","ref":"refs/heads/master","pushedAt":"2024-04-15T14:56:41.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4790 from @ya0guang - Update `test_rules.py`\n\nchore: fix typo in `test_rules.py`","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2214084086\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4790\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4790/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4790\">#4790</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/ya0guang/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/ya0guang\">@ya0guang</a> - Update <code>test_rules.py</code>"}},{"before":"045a9a5faa7c5de03327e255c3da96209aac5e06","after":"8c46c94a609dc064920de760eefaa901e573f1a8","ref":"refs/heads/master","pushedAt":"2024-04-15T14:43:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4798 from @PiRomant - Update `Hashes` field to use `contains` modifier\n\nupdate: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier\r\nupdate: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier\r\nupdate: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier\r\n \r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2222241933\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4798\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4798/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4798\">#4798</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/PiRomant/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/PiRomant\">@PiRomant</a> - Update <code>Hashes</code> field to use `contain…"}},{"before":"b40d86599ce8c33bbfc78085e8703e827d92a4b1","after":"045a9a5faa7c5de03327e255c3da96209aac5e06","ref":"refs/heads/master","pushedAt":"2024-04-15T14:37:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"nasbench","name":"Nasreddine Bencherchali","path":"/nasbench","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8741929?s=80&v=4"},"commit":{"message":"Merge PR #4803 from @frack113 - Update regex based rules\n\nupdate: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard\r\nupdate: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI\r\nupdate: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI\r\nupdate: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI\r\nupdate: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI \r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>\r\nCo-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2227777375\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4803\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4803/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4803\">#4803</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/frack113/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/frack113\">@frack113</a> - Update regex based rules"}},{"before":"691dca6fd2cac002bec9f158bb3ecf4c679a76fa","after":"b40d86599ce8c33bbfc78085e8703e827d92a4b1","ref":"refs/heads/master","pushedAt":"2024-04-15T11:58:20.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4806 from @swachchhanda000 - Potential KeyScrambler.exe DLL Side-loading\n\nnew: Potential KeyScrambler.exe DLL Side-loading\r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2232580913\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4806\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4806/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4806\">#4806</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/swachchhanda000/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/swachchhanda000\">@swachchhanda000</a> - Potential KeyScrambler.exe DLL…"}},{"before":"8687ba8ce6a6e0dc92447026f4378ff98d656eee","after":"691dca6fd2cac002bec9f158bb3ecf4c679a76fa","ref":"refs/heads/master","pushedAt":"2024-04-15T11:43:35.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4808 from @frack113 - FP Bad practice GPO\n\nfix: Windows Binaries Write Suspicious Extensions - Add new filter for when \"bat\" or \"powershell\" scripts are written via GPO to run at startup.\r\n\r\n---------\r\n\r\nCo-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2237533702\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4808\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4808/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4808\">#4808</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/frack113/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/frack113\">@frack113</a> - FP Bad practice GPO"}},{"before":"c21a4e10b81f5fa0a82a28a611fd16e2e3063fb7","after":"8687ba8ce6a6e0dc92447026f4378ff98d656eee","ref":"refs/heads/master","pushedAt":"2024-04-15T11:42:32.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"phantinuss","name":null,"path":"/phantinuss","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/79651203?s=80&v=4"},"commit":{"message":"Merge PR #4813 from @frack113 - Add Image to avoid FP\n\nfix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.\r\n---------\r\n\r\nCo-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>","shortMessageHtmlLink":"Merge PR <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2242013114\" data-permission-text=\"Title is private\" data-url=\"https://github.com/SigmaHQ/sigma/issues/4813\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/SigmaHQ/sigma/pull/4813/hovercard\" href=\"https://github.com/SigmaHQ/sigma/pull/4813\">#4813</a> from <a class=\"user-mention notranslate\" data-hovercard-type=\"user\" data-hovercard-url=\"/users/frack113/hovercard\" data-octo-click=\"hovercard-link-click\" data-octo-dimensions=\"link_type:self\" href=\"https://github.com/frack113\">@frack113</a> - Add Image to avoid FP"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEP5KNogA","startCursor":null,"endCursor":null}},"title":"Activity · SigmaHQ/sigma"}