Add GitHub Actions workflow for Sigma rule generation and update formatting in sigma-gen.py

.github/workflows/sigma-gen.yml

@@ -0,0 +1,35 @@
+name: Generate Sigma Rules
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'yaml/**'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  generate-sigma:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4.2.0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4.7.1
+        with:
+          python-version: '3.10'
+
+      - name: Install PyYAML
+        run: pip install pyyaml
+
+      - name: Generate Sigma rules
+        run: python bin/sigma-gen.py
+
+      - name: Git Auto Commit
+        uses: stefanzweifel/git-auto-commit-action@v4.15.4
+        with:
+          commit_message: Update Sigma rules [skip ci]
+          file_pattern: detections/sigma/*.yml

bin/sigma-gen.py

@@ -4,6 +4,9 @@
 import uuid
 from typing import Dict, List, Any
 
+# Namespace UUID for generating deterministic rule IDs
+LOLRMM_NAMESPACE = uuid.UUID("a1b2c3d4-e5f6-7890-abcd-ef1234567890")
+
 
 def extract_artifacts(yaml_data: Dict[str, Any]) -> Dict[str, List[str]]:
     artifacts = {"files": [], "registry": [], "network": [], "processes": []}
@@ -88,13 +91,16 @@ def write_sigma_rule(rule: Dict[str, Any], filepath: str) -> None:
                     if isinstance(subvalue, list):
                         # Single element: write inline, multiple elements: write as list
                         if len(subvalue) == 1:
-                            f.write(f"        {subkey}: {subvalue[0]}\n")
+                            val = subvalue[0].replace("'", "''")
+                            f.write(f"        {subkey}: '{val}'\n")
                         else:
                             f.write(f"        {subkey}:\n")
                             for item in subvalue:
-                                f.write(f"            - {item}\n")
+                                val = item.replace("'", "''")
+                                f.write(f"            - '{val}'\n")
                     else:
-                        f.write(f"        {subkey}: {subvalue}\n")
+                        val = subvalue.replace("'", "''")
+                        f.write(f"        {subkey}: '{val}'\n")
         f.write(f"    condition: {detection['condition']}\n")
 
         # Falsepositives
@@ -161,7 +167,7 @@ def generate_sigma_rules(yaml_file: str, output_dir: str) -> List[Dict[str, Any]
             # Create rule with proper field order
             rule = {
                 "title": rule_template["title"],
-                "id": str(uuid.uuid4()),
+                "id": str(uuid.uuid5(LOLRMM_NAMESPACE, rule_template["title"])),
                 "status": "experimental",
                 "description": f"Detects potential {artifact_type} activity of {name} RMM tool",
                 "references": ["https://github.com/magicsword-io/LOLRMM"],

detections/sigma/247ithelp.com__connectwise__network_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential 247ithelp.com (ConnectWise) RMM Tool Network Activity
-id: 43e31a0e-0682-4a5b-9031-2c36d6cf829b
+id: 46a93cbf-d8b6-5ad5-ac4d-cbddd7fc5733
 status: experimental
 description: |
     Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -15,7 +15,7 @@ logsource:
     category: network_connection
 detection:
     selection:
-        DestinationHostname|endswith: *.247ithelp.com
+        DestinationHostname|endswith: '*.247ithelp.com'
     condition: selection
 falsepositives:
     - Legitimate use of 247ithelp.com (ConnectWise)

detections/sigma/247ithelp.com__connectwise__processes_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential 247ithelp.com (ConnectWise) RMM Tool Process Activity
-id: ddbae18a-5f5b-4245-a754-33fc427a4162
+id: bb00e1fb-6ca9-59d2-b441-fcfc87ed759e
 status: experimental
 description: |
     Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -15,9 +15,9 @@ logsource:
     category: process_creation
 detection:
     selection_parent:
-        ParentImage|endswith: Remote Workforce Client.exe
+        ParentImage|endswith: 'Remote Workforce Client.exe'
     selection_image:
-        Image|endswith: Remote Workforce Client.exe
+        Image|endswith: 'Remote Workforce Client.exe'
     condition: 1 of selection_*
 falsepositives:
     - Legitimate use of 247ithelp.com (ConnectWise)

detections/sigma/absolute__computrace__network_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Absolute (Computrace) RMM Tool Network Activity
-id: 1121ec6d-2ddb-4423-8722-397074293568
+id: 7a0e6218-bc60-5010-8890-6efa9223f650
 status: experimental
 description: |
     Detects potential network activity of Absolute (Computrace) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,8 +16,8 @@ logsource:
 detection:
     selection:
         DestinationHostname|endswith:
-            - *search.namequery.com
-            - *server.absolute.com
+            - '*search.namequery.com'
+            - '*server.absolute.com'
     condition: selection
 falsepositives:
     - Legitimate use of Absolute (Computrace)

detections/sigma/absolute__computrace__processes_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Absolute (Computrace) RMM Tool Process Activity
-id: 6633e0fe-00b0-4441-a635-35318721392f
+id: 4dc903cb-205b-516a-88cb-e4dc5181561f
 status: experimental
 description: |
     Detects potential processes activity of Absolute (Computrace) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,18 +16,18 @@ logsource:
 detection:
     selection_parent:
         ParentImage|endswith:
-            - rpcnet.exe
-            - ctes.exe
-            - ctespersitence.exe
-            - cteshostsvc.exe
-            - rpcld.exe
+            - 'rpcnet.exe'
+            - 'ctes.exe'
+            - 'ctespersitence.exe'
+            - 'cteshostsvc.exe'
+            - 'rpcld.exe'
     selection_image:
         Image|endswith:
-            - rpcnet.exe
-            - ctes.exe
-            - ctespersitence.exe
-            - cteshostsvc.exe
-            - rpcld.exe
+            - 'rpcnet.exe'
+            - 'ctes.exe'
+            - 'ctespersitence.exe'
+            - 'cteshostsvc.exe'
+            - 'rpcld.exe'
     condition: 1 of selection_*
 falsepositives:
     - Legitimate use of Absolute (Computrace)

detections/sigma/access_remote_pc_files_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Access Remote PC RMM Tool File Activity
-id: 1a263981-f6d4-4ba8-8ae3-16525d97c9b9
+id: 6ede7801-b64d-5315-8168-da1264d8bd71
 status: experimental
 description: |
     Detects potential files activity of Access Remote PC RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,8 +16,8 @@ logsource:
 detection:
     selection:
         TargetFilename|endswith:
-            - C:\Program Files (x86)\RemotePC\RemotePCUIU.exe
-            - C:\Program Files (x86)\RemotePC\*
+            - 'C:\Program Files (x86)\RemotePC\RemotePCUIU.exe'
+            - 'C:\Program Files (x86)\RemotePC\*'
     condition: selection
 falsepositives:
     - Legitimate use of Access Remote PC

detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Acronis Cyber Protect (Remotix) RMM Tool Network Activity
-id: 9e6372f6-47e7-4a2b-9306-2d7f2347cb62
+id: 09b5684f-5571-5607-9051-07f2b11e4fbe
 status: experimental
 description: |
     Detects potential network activity of Acronis Cyber Protect (Remotix) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,10 +16,10 @@ logsource:
 detection:
     selection:
         DestinationHostname|endswith:
-            - cloud.acronis.com
-            - agents*-cloud.acronis.com
-            - gw.remotix.com
-            - connect.acronis.com
+            - 'cloud.acronis.com'
+            - 'agents*-cloud.acronis.com'
+            - 'gw.remotix.com'
+            - 'connect.acronis.com'
     condition: selection
 falsepositives:
     - Legitimate use of Acronis Cyber Protect (Remotix)

detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Acronis Cyber Protect (Remotix) RMM Tool Process Activity
-id: 1c52dfd5-39b5-4891-86be-b20a5dd5443d
+id: 567d575d-1c03-5ce9-8dc8-dad4b7c5372d
 status: experimental
 description: |
     Detects potential processes activity of Acronis Cyber Protect (Remotix) RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,12 +16,12 @@ logsource:
 detection:
     selection_parent:
         ParentImage|endswith:
-            - AcronisCyberProtectConnectQuickAssist*.exe
-            - AcronisCyberProtectConnectAgent.exe
+            - 'AcronisCyberProtectConnectQuickAssist*.exe'
+            - 'AcronisCyberProtectConnectAgent.exe'
     selection_image:
         Image|endswith:
-            - AcronisCyberProtectConnectQuickAssist*.exe
-            - AcronisCyberProtectConnectAgent.exe
+            - 'AcronisCyberProtectConnectQuickAssist*.exe'
+            - 'AcronisCyberProtectConnectAgent.exe'
     condition: 1 of selection_*
 falsepositives:
     - Legitimate use of Acronis Cyber Protect (Remotix)

detections/sigma/action1_files_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Action1 RMM Tool File Activity
-id: 0e4ac9ba-0f84-4437-b952-3a5ff816eef3
+id: ecb5ed8f-5729-51f5-9a54-3a6557cd7d9e
 status: experimental
 description: |
     Detects potential files activity of Action1 RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,11 +16,11 @@ logsource:
 detection:
     selection:
         TargetFilename|endswith:
-            - C:\Windows\Action1\action1_agent.exe
-            - C:\Windows\Action1\*
-            - C:\Windows\Action1\scripts\*
-            - C:\Windows\Action1\rule_data\*
-            - C:\Windows\Action1\action1_log_*.log
+            - 'C:\Windows\Action1\action1_agent.exe'
+            - 'C:\Windows\Action1\*'
+            - 'C:\Windows\Action1\scripts\*'
+            - 'C:\Windows\Action1\rule_data\*'
+            - 'C:\Windows\Action1\action1_log_*.log'
     condition: selection
 falsepositives:
     - Legitimate use of Action1

detections/sigma/action1_network_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Action1 RMM Tool Network Activity
-id: 22015403-2881-4c36-ba1b-aff8da000ae6
+id: 4f70ef33-917d-5993-bd3c-e8511ac16c9d
 status: experimental
 description: |
     Detects potential network activity of Action1 RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,8 +16,8 @@ logsource:
 detection:
     selection:
         DestinationHostname|endswith:
-            - *.action1.com
-            - a1-backend-packages.s3.amazonaws.com
+            - '*.action1.com'
+            - 'a1-backend-packages.s3.amazonaws.com'
     condition: selection
 falsepositives:
     - Legitimate use of Action1

detections/sigma/action1_registry_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Action1 RMM Tool Registry Activity
-id: 641f0d60-932c-45c2-8feb-03143209c7ee
+id: 2841f3b2-7212-5b7c-83a8-f301ccb46d6f
 status: experimental
 description: |
     Detects potential registry activity of Action1 RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,9 +16,9 @@ logsource:
 detection:
     selection:
         TargetObject|contains:
-            - HKLM\System\CurrentControlSet\Services\A1Agent
-            - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe
-            - HKLM\SOFTWARE\WOW6432Node\Action1
+            - 'HKLM\System\CurrentControlSet\Services\A1Agent'
+            - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe'
+            - 'HKLM\SOFTWARE\WOW6432Node\Action1'
     condition: selection
 falsepositives:
     - Legitimate use of Action1

detections/sigma/addigy_network_sigma.yml

@@ -1,12 +1,12 @@
 title: Potential Addigy RMM Tool Network Activity
-id: 43757bb8-b54f-41be-9e96-8099c0dc9a16
+id: 19353241-8add-5556-8a66-870cdecfa84d
 status: experimental
 description: |
     Detects potential network activity of Addigy RMM tool
 references:
     - https://github.com/magicsword-io/LOLRMM
 author: LOLRMM Project
-date: 2025-12-01
+date: 2026-02-03
 tags:
     - attack.execution
     - attack.t1219
@@ -16,9 +16,9 @@ logsource:
 detection:
     selection:
         DestinationHostname|endswith:
-            - prod.addigy.com
-            - grtmprod.addigy.com
-            - agents.addigy.com
+            - 'prod.addigy.com'
+            - 'grtmprod.addigy.com'
+            - 'agents.addigy.com'
     condition: selection
 falsepositives:
     - Legitimate use of Addigy