phantinuss

New Sigma release r2025-12-01 is available for download. 🌟35 New Rules 🛡️21 Rule updates 🔬30 Rule Fixes Explore the full release -> github.com/SigmaHQ/sigma/… The major update of this release is the introduction of windows regression testing in the CI. We now highly encourage providing evtx files with each PR, and will make mandatory over time. As always, this release comes with a bunch of new rules and updates. Here are some highlights - New FortiGate rules, covering the creation of users and modification of firewall objects. - New rules covering variations of the FileFix/ClickFix technique - New rules covering Atomic MacOS Stealer, CVE-2025-20333, CVE-2025-59287 and more - As well as multiple FP fixes and updates. A special thanks to the many contributors that helped shape this release, specifically darses, Javier Bruno, @_ezlucky_ @frack113 @hullabrian InTheCyber Group, Tommaso Tosi, JasonPhang98, @Joseliyo_Jstnk @KoifSec Liran Ravich, @_montysecurity @phantinuss, RiqTam, Seth Hanford, suKTech24, @_swachchhanda_, @IntelScott, @Kostastsale, YxinMiracle

New Sigma release r2025-10-01 is available for download. 🌟43 New Rules 🛡️34 Rule updates 🔬27 Rule Fixes Explore the full release -> github.com/SigmaHQ/sigma/… This release introduces a bunch of new rules and updates - A bunch of CVE detections including CVE-2025-54309, CVE-2025-53770 and CVE-2025-24054. - SAP NetWeaver and SharePoint detections covering suspicious child processes and other activity. - A bunch of updates to file sharing domain based rules. - Additional Cmdlets and variants to PowerShell based rules. And much more A special thanks to the many contributors that helped shape this release, specifically 0xbcf, 0xPrashanthSec, egycondor, EzLucky, @frack113, Gene Kazimiarovich, JasonPhang98, josamontiel, @KoifSec, Liran Ravich, M1ra1B0T, @nosecurething, @cyb3rops, Andreas Braathen, Nisarg Suthar, norbert791, peterydzynski, @phantinuss, resp404nse, Arnim Rupp, @_swachchhanda_, Renan LAVAREC, Vladan Sekulic, YxinMiracle

New Sigma release r2025-07-08 is available for download. 🌟43 New Rules 🛡️34 Rule updates 🔬27 Rule Fixes Explore the full release -> github.com/SigmaHQ/sigma/… This release introduces a bunch of new rules including detections for - Katz Stealer - MeshAgent usage - CVE-2025-33053 and CVE-2025-49144 (Notepad++) - Kerberos Coercion Via DNS SPN Spoofing An much more We've also introduced a new Github action to automate the generation of MITRE heatmaps every month. A special thanks to the many contributors that helped shape this release, specifically @0xFustang @ajpc500 Ariel Otilibili, Milad Cheraghi, @d4ns4n_ david-syk, egycondor, @_ezlucky_ @frack113 Grégory Wychowaniec, GrepItAll, hashdr1ft, Josh Nickels, @JrOrOneEquals1 David Faiß @MalGamy12 Nik Stuckenbrock, norbert791 @phantinuss @_swachchhanda_ unicornofhunt, vx3r, wieso-itzi @X__Junior @lazarg_

New Sigma release r2025-05-21 is available for download. 🌟15 New Rules 🛡️47 Rule updates 🔬13 Rule Fixes Explore the full release -> github.com/SigmaHQ/sigma/… This release focused mainly on updates and tunings of older rules, with newer detections covering NimScan, AdFind, Kalambur Backdoor and more. Without forgetting, a special thanks to the many contributors that helped shape this release, specifically Milad Cheraghi, @OrOneEqualsOne, david-syk, @TheDFIRReport, Derek Armstrong, Isaac Fernandes, @frack113, Gude5, Hannes Widéen, Allan Monteiro, Jason Mull, @KoifSec, @MalGamy12, @cyb3rops, Nick Lupien, @phantinuss, RG9n, signalblur, @_swachchhanda_, Arda Büyükkaya, @X__Junior

@nas_bench the future will be bright (for working in IT sec)

😶‍🌫️

@nas_bench I was once in a gallery where one room just had a bucket and a cleaning mop inside. To this day I am not sure if that was just an empty room or part of the exhibition 🤔

Found this in an Art museum. Can someone explain why the duck a piece of glass is listed as ART?!!

@scritches @cyb3rops @blubbfiction @shellcromancer @DefensiveDepth Always has been. More so maintaining a good coverage after initial onboarding bc data sources change over time. QA is not valued enough in many (most?) organizations, though.

@cyb3rops @blubbfiction @phantinuss @shellcromancer @DefensiveDepth If they could be centralized, even better. The challenge for big organizations is getting [all] the logs. Visibility/observability is becoming an art.

I have finally found the time to update my "Log Sources" slide with input from @blubbfiction @phantinuss @shellcromancer @DefensiveDepth & others Changes - added EDR, cloud & IdP logs - rewrote the texts in the legend - updated values #SIEM github.com/Neo23x0/Talks/…

Historic! The EU becomes the very first continent to set clear rules for the use of AI 🇪🇺 The #AIAct is much more than a rulebook — it's a launchpad for EU startups and researchers to lead the global AI race. The best is yet to come! 👍

@jaredcatkinson @nas_bench There are cases where you can have a "strictly better" detection. But that's if you look at it on a detailed/implementation level and probably not what the topic is about.

I assume that you accept that there are better and worse ways to detect things? Should we not pursue the development better methods of detection? I agree though that it’s not exactly zero sum in the sense that you can have multiple rules that address the same or similar threats in different ways.

Detection absolutists is a term I find myself using more and more often. Especially when I see some of the takes around DE. Do people really think that there's one way or ultimate way to build a detection ? I see a lot of big terms being thrown left and right, and people saying method X is shit can be bypassed, use Y instead it's more accurate and whatever.... Sigh..... Cut the BS please. The moment I see an absolutists, I know they're trying to sell me something :)

@nas_bench Only a Sith deals in absolutes

curl is so versatile curl is an alias for invoke-webrequest when called from PowerShell, a binary when called from cmd.exe, and part of a malware when called from a temporary folder by @phantinuss & @nas_bench

New blog post: Connecting Sigma Rule Sets to your Environment with Processing Pipelines medium.com/sigma-hq/conne… If you convert Sigma rules into queries you should read this, especially if you never heard about processing pipelines before.

Elastic EDR bypass :kappa:

Demystifying SIGMA Log Sources We‘re glad to announce a new contribution called log-source guides. The idea behind it is to provide specific guides on configuring a system’s audit policies so that the system actually creates the logs needed by the rules. nextron-systems.com/2023/03/24/dem…

TIL: make doesn't fail if there is an error in the beginning of a pipeline (by default). It is true for bash in general, but probably most dangerous for make. more on stackoverflow: stackoverflow.com/questions/2530…

@zenitrame @cyb3rops @Mrs_DarkDonado I think that is a feasible solution for preventing an ever growing list but for clarity of the users it would need a public definition/specification on how VHASH is calculated. Is it available, yet? At least I haven't seen/found one yet.

@cyb3rops @Mrs_DarkDonado If it works significantly better than the vhash for those kinds of binaries, I would be inclined to have it be the vhash itself, just for go binaries. We start to have a pretty long list of clustering/similarity hashes and discovering them is challenging. Thoughts?

We've published a repository with the specs and proof-of-concept code in C as well as Go to calculate the import hash for Go based binaries named "gimphash" - your feedback is appreciated github.com/NextronSystems…

@zacjszewczyk @cyb3rops @sigma_hq No. The main motivation is: Rule authors most often test against the data given in a report (if the rule is tested at all), but have not easy access to data for testing for FPs. And this is the most simple way to share and use that "goodlogs".

@cyb3rops @sigma_hq @phantinuss This is a pretty neat idea. I’ve seen CI/CD pipelines used to check rules but not to check for false positives. Have you published any writeups on this at all? Motivation, thought process, planning, execution, etc.

We have now implemented automatic checks of all contributed @sigma_hq rules in our repository against Win7, Win10 & Win11 EVTX exports of uncompromised systems (I call them "goodlogs") thx to @phantinuss Workflow github.com/SigmaHQ/sigma/… EVTX Baseline github.com/NextronSystems…

@bahaha_skipit @cyb3rops update1.nextron-systems.com/eula-aurora-ag… :P

@cyb3rops Just deployed on two production servers, so if anything goes wrong I can blame you right? 😭🤡

We've just released the free version of our #Sigma-based endpoint agent Aurora 🙌 I'm very glad that we can provide the community with such a powerful tool 💪 My plan is to produce tweets, blog posts, and some videos on use cases & tweaks in the coming weeks, so stay tuned ⚡️

@sEye_Intel @cyb3rops …rora-agent-manual.nextron-systems.com/en/latest/usag…

@sEye_Intel @cyb3rops suspend is a supported predefined response but you can also use any sequence of commands as a custom response