Merge PR #4581 from @phantinuss - Remove in changlog, additional attribution, workflow optimization, FP tuning

phantinuss · nasbench · web-flow · commit 130227bc0570 · 2023-11-20T13:45:53.000+01:00
chore: run sigma rule repo tests only on specific paths
chore: add manual thanks and list removed rules in changelog
fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs

---------

Co-authored-by: Nasreddine Bencherchali &lt;8741929+nasbench@users.noreply.github.com&gt;
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -8,7 +8,7 @@ Thanks for your contribution. Please make sure to fill the contents of this temp
 
 <!--
 **Please note that this section is required and must be filled**
-A short summary of your pull request. 
+A short summary of your pull request.
 -->
 
 ### Changelog
@@ -19,13 +19,15 @@ You need to add one line for every changed file of the PR and prefix one of the
 new:	<title>
 update:	<title> - <optional comment>
 fix:	<title> - <optional comment>
+remove:	<title> - <optional comment>
 chore: for non-detection related changes (e.g. dates/titles) and changes on workflow
 
 e.g.
 new: Brute-Force Attacks on Azure Admin Account
 update: Suspicious Microsoft Office Child Process - add MSPUB.EXE
 fix: Malware User Agent - remove legitimate Firefox UA
 chore: workflow - update checkout version
+remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2
 -->
 
 ### Example Log Event
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,10 +24,13 @@ jobs:
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt
+          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort | sed -e 's%^% - %' >> changes.txt
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*" | sort -u >> authors_raw.txt
           LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
           cat changes.txt >> changelog.txt
           echo "" >> changelog.txt
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -7,27 +7,27 @@ on: # yamllint disable-line rule:truthy
   push:
     branches:
       - "*"
-    # paths:
-    #   - "deprecated/**.yml"
-    #   - "rules-compliance/**.yml"
-    #   - "rules-dfir/**.yml"
-    #   - "rules-emerging-threats/**.yml"
-    #   - "rules-placeholder/**.yml"
-    #   - "rules-threat-hunting/**.yml"
-    #   - "rules/**.yml"
-    #   - "unsupported/**.yml"
+    paths:
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "unsupported/**.yml"
   pull_request:
     branches:
       - master
-    # paths:
-    #   - "deprecated/**.yml"
-    #   - "rules-compliance/**.yml"
-    #   - "rules-dfir/**.yml"
-    #   - "rules-emerging-threats/**.yml"
-    #   - "rules-placeholder/**.yml"
-    #   - "rules-threat-hunting/**.yml"
-    #   - "rules/**.yml"
-    #   - "unsupported/**.yml"
+    paths:
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "unsupported/**.yml"
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2023/10/11
+modified: 2023/11/14
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -51,9 +51,6 @@ detection:
             - 'C:\Windows\Installer\MSI'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-        CommandLine|contains:
-            - 'Avira.OE.Setup'
-            - 'FindOldJetBrainsProduct'
     condition: selection and not 1 of filter_*
 fields:
     - Image
