Feat: extend syslog clearing rule - add variants & empty-file idioms#4
Open
Feat: extend syslog clearing rule - add variants & empty-file idioms#4
Conversation
… fix invalid unlink flags added common truncation/overwrite patterns: redirections (>, >|, :>), true/echo -n/printf '' >, cat|cp /dev/null, truncate, shred. added symlink variants removed invalid unlink flags and kept only unlink /var/log/syslog kept ATT&CK mapping (T1070.002) and existing metadata; status remains test
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome @vl43den 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
vl43den
changed the title
Removed lingering whitespace and went over comments
Overhauled the rule to remove so unnecessary additions, added journalctl --rotate
…ion via CommandLine Utilities new: IIS WebServer Log Deletion via CommandLine Utilities --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…line to v0.8.2 chore: update evtx baseline to v0.8.2 and fix FPs --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…nces and update cache file Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Updated the title and description for clarity. Added new command selections for syslog clearing techniques and refined existing selections.
…s from selectors fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
…xecution anomaly detection fix: System File Execution Location Anomaly - add filter for wsl fps
…ce FPs fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
…ure in EDR process freeze rule update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…lated false-positives remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename fix: Startup Folder File Write - Add a filter for OneNote fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…and filters; update Account Tampering with SubStatus field fix: SMB Create Remote File Admin Share - filter out local IP fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
…ct hex IPv4 addresses fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…tables delete/flush update: Modify System Firewall - add nftables delete/flush --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com>
…Credential Modified remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628 --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…n Startup Locations - CVE-2025-6218 and CVE-2025-8088 new: WinRAR Creating Files in Startup Locations update: WinRAR Execution in Non-Standard Folder - update PE metadata --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
chore: ci: let yamllint fail on warnings as well chore: fix comment whitespace chore: ci: run single tests in their own job
…eze Execution` new: Hacktool - EDR-Freeze Execution --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…sues new: AWS IAM user with Console Access Login Without MFA (SigmaHQ#5074) new: Suspicious BitLocker Access Agent Update Utility Execution (SigmaHQ#5502) new: BaaUpdate.exe Suspicious DLL Load update: Suspicious C2 Activities - update definition (SigmaHQ#5142) fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (SigmaHQ#5171) fix: WannaCry Ransomware Activity - remove generic indicators (SigmaHQ#5131) fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (SigmaHQ#5529) --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…Windows Server coverage fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…les for CVE-2025-32463 sudo chroot vulnerability new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation new: Linux Sudo Chroot Execution --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…argeting npm supply chain attack new - Shai-Hulud Malicious GitHub Workflow Creation new - Shai-Hulud NPM Attack GitHub Activity new - Shai-Hulud NPM Package Malicious Exfiltration via Curl new - PUA - TruffleHog Execution new - PUA - TruffleHog Execution - Linux
…are report new: FTP Connection Open Attempt Via Winscp CLI new: Winscp Execution From Non Standard Folder --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…t could be suspicious for startup folder update: Suspicious Startup Folder Persistence: add more suspicious extensions --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…VE-2025-10035 exploit in GoAnywhere MFT new: Potential Exploitation of GoAnywhere MFT vulnerability --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com>
…m power settings new: Mask System Power Settings Via Systemctl --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…ties new - Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) new - Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) new - Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) new - Suspicious File Write to Webapps Root Directory --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com>
remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073 fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs update: PowerShell Download Pattern - add powershell_ise update: Use Short Name Path in Image - change detection logic structure update: Local Accounts Discovery - add OriginalFileName field --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com>
…tall chore: ci: fix duplicate install chore: ci: run tests independent of paths
…with additional flags and service names update: Potential LSASS Process Dump Via Procdump - expand flags and service-names detection --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
…void potential fps of jwt token search via cli update: Potentially Suspicious JWT Token Search Via CLI - add selection for common search tools --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
new: ISATAP Router Address Was Set --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
… 2 rules chore: add missing MITRE tactics for 2 rules
chore: add missing author field
…e Deletion` fix: Sysmon Channel Reference Deletion - AccessMask should be a string
new: AWS Console Login Monitoring new: AWS Bucket Deleted new: AWS ConsoleLogin Failed Authentication new: AWS EnableRegion Command Monitoring new: AWS VPC Flow Logs Deleted update: AWS Successful Console Login Without MFA - only alert on successful logins --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: swachchhanda000 <swachchhandashrawan@gmail.com>
…t deletion of RunMRU registry key new: RunMRU Registry Key Deletion new: RunMRU Registry Key Deletion - Registry --------- Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
fix: Uncommon PowerShell Hosts - filter hexnode fix: Suspicious Non PowerShell WSMAN COM Provider - filter hexnode fix: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - filter hexnode fix: Registry Persistence via Service in Safe Mode - filter hexnode fix: Potential PowerShell Obfuscation Using Alias Cmdlets - filter legitimate cim aliases --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
…e ransomware and wce detection update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage --------- Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
…MB Connection to Share Established new: Unsigned or Unencrypted SMB Connection to Share Established --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…numeration Via TruffleHog new: AWS STS GetCallerIdentity Enumeration Via TruffleHog --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
…tion of wsl kali linux new: Installation of WSL KaliLinux new: WSL Kali Linux Usage --------- Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
chore: ci: bump validator version chore: add missing tags --------- Co-authored-by: nasbench <nasbench@users.noreply.github.com>
…l Execution new: PUA - Restic Backup Tool Execution
…rigger to CI jobs chore: ci: add merge_group trigger to CI jobs
…stry` new: WFP Filter Added via Registry --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…ktop Sensitive Data` new: File Access Of Signal Desktop Sensitive Data --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
new: GitHub Repository Pages Site Changed to Public new: GitHub Repository Archive Status Changed --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…erial Usage` new: AWS KMS Imported Key Material Usage --------- Co-authored-by: Nasreddine Bencherchali Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…Itself As Sacrificial Process` new: Potential Executable Run Itself As Sacrificial Process --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…ecurity Stopped Via CommandLine - Linux` new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
new: Audit Rules Deleted Via Auditctl new: Python WebServer Execution - Linux --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Extend Linux “Clear/Remove Syslog” rule to broaden coverage of file-emptying techniques and correct unlink usage
Changelog
update: Commands to Clear or Remove the Syslog – add empty-file idioms (redirect/printf/devnull/symlink/truncate/shred) and remove invalid unlink flags
Example Log Event
N/A – coverage extension, not a false-positive fix!
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions