Skip to content

Contributing

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Contributing

This wiki is a community defensive resource. Contributions that improve detection accuracy, add telemetry sources, or correct tool-specific details are welcome.


What we're looking for

  • New or improved detections — Sigma rules, YARA signatures, KQL/Splunk/other-SIEM queries.
  • Validated artifacts — confirmed paths, task names, filenames, or behavior from lab testing (see Validation & Lab Testing).
  • False-positive reports — legitimate software that trips a rule, plus a suggested filter.
  • Additional telemetry sources — Elastic, CrowdStrike, Carbon Black, Chronicle, etc.
  • Translations / backend conversions — Sigma converted to specific SIEM query languages.

Ground rules

  • Defensive only. This wiki documents how to detect the tool. Do not add offensive tradecraft, weaponization guidance, payloads, or instructions to extend the tool's capability.
  • Cite your evidence. For a new IOC, say how it was observed (lab run, incident, sample hash) so others can validate.
  • No live malware or real credentials. Never attach samples, real victim data, or working exfil endpoints.
  • Keep hashes qualified. Because the tool is open-source, hashes are build-specific; label them with the build/source they came from rather than presenting them as universal IOCs.
  • Stay legal and ethical. Only submit content gathered from authorized testing or your own environment.

How to contribute

GitHub Wikis are backed by a git repo. You can clone and submit changes:

git clone https://github.com/<owner>/<repo>.wiki.git
cd <repo>.wiki
# edit the .md pages
git add . && git commit -m "Add Elastic EQL variant for 9.4"
git push

For discussion or proposals, open an Issue on the main repository and tag it detection or wiki.

Style guide

  • One topic per page; link between pages with [Title](Page-Name) (no .md extension).
  • Put rules in fenced code blocks with the right language hint (yaml, yara, kql, spl).
  • Give every Sigma rule a unique id (UUID) and set status honestly (experimental / test / stable).
  • Add new techniques to the MITRE ATT&CK Mapping and Coverage Matrix.

Rule metadata convention

When adding a Sigma rule, include at minimum:

title: <concise, specific>
id: <new UUID>
status: experimental        # experimental | test | stable
description: <what it detects and why>
references:
  - https://github.com/shaddy43/BrowserSnatch
author: <your handle or "Community">
date: <YYYY/MM/DD>
tags:
  - attack.<tactic>
  - attack.t<technique>
level: <low | medium | high | critical>

Maintainers & disclaimer

This wiki is maintained by the tool's author and cybersecurity community is encouraged to contribute. All content is provided for authorized detection-engineering, threat-hunting, and research use. See the Home page for scope.

Thanks for helping defenders keep pace. 🛡️

Clone this wiki locally