Merge branch 'master' into patch-2

Author: swachchhanda000

.github/workflows/known-FPs.csv

@@ -70,4 +70,7 @@ ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*
 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
 de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\
 24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe
+8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
+c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
+dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp

.github/workflows/ref-archiver.yml

@@ -18,7 +18,7 @@ jobs:
       with:
         submodules: true
     - name: Set up Python 3.11
-      uses: actions/setup-python@v6.0
+      uses: actions/setup-python@v6
       with:
         python-version: 3.11
     - name: Execute Reference Archiver

.github/workflows/regression-tests.yml

@@ -0,0 +1,31 @@
+name: Regression Tests
+
+on: [push, pull_request, workflow_dispatch]
+
+env:
+  EVTX_BASELINE_VERSION: v0.8.2
+
+jobs:
+  true-positive-tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5
+
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.11'
+
+    - name: Install Python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pyyaml
+
+    - name: Download evtx-sigma-checker
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+        chmod +x evtx-sigma-checker
+
+    - name: Run regression tests
+      run: |
+        python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation

.github/workflows/sigma-rule-deprecated.yml

@@ -18,7 +18,7 @@ jobs:
       with:
         submodules: true
     - name: Set up Python 3.11
-      uses: actions/setup-python@6.0
+      uses: actions/setup-python@v6
       with:
         python-version: 3.11
     - name: Execute deprecated rules script

.github/workflows/sigma-rule-promoter.yml

@@ -1,55 +1,56 @@
-name: "Promote Experimental Rules To Test"
-
-on:
-  #push:
-  #  branches:
-  #      - "*"
-  schedule:
-    - cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
-  
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  pull-master:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        submodules: true
-    - name: Set up Python 3.11
-      uses: actions/[email protected]
-      with:
-        python-version: 3.11
-    - name: Execute Rule Promoter Script
-      run: |
-        pip install pySigma
-        python tests/promote_rules_status.py
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v7
-      with:
-        reviewers: nasbench, frack113, phantinuss
-        delete-branch: true
-        commit-message: 'chore: promote older rules status from `experimental` to `test`'
-        branch: 'create-pull-request/rule-promotion'
-        title: 'Promote Older Rules From `experimental` to `test`'
-        body: |
-          ### Summary of the Pull Request
-
-          This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`
-
-          ### Changelog
-
-          chore: promote older rules status from `experimental` to `test`
-
-          ### Example Log Event
-
-          N/A
-
-          ### Fixed Issues
-
-          N/A
-
-          ### SigmaHQ Rule Creation Conventions
-          
-          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
+#name: "Promote Experimental Rules To Test"
+#
+#on:
+#  #push:
+#  #  branches:
+#  #      - "*"
+#  schedule:
+#    - cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
+#  
+#  # Allows you to run this workflow manually from the Actions tab
+#  workflow_dispatch:
+#
+#jobs:
+#  pull-master:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v5
+#      with:
+#        submodules: true
+#    - name: Set up Python 3.11
+#      uses: actions/setup-python@v6
+#      with:
+#        python-version: 3.11
+#    - name: Execute Rule Promoter Script
+#      run: |
+#        pip install pySigma
+#        python tests/promote_rules_status.py
+#    - name: Create Pull Request
+#      uses: peter-evans/create-pull-request@v7
+#      with:
+#        reviewers: nasbench, frack113, phantinuss
+#        delete-branch: true
+#        commit-message: 'chore: promote older rules status from `experimental` to `test`'
+#        branch: 'create-pull-request/rule-promotion'
+#        title: 'Promote Older Rules From `experimental` to `test`'
+#        body: |
+#          ### Summary of the Pull Request
+#
+#          This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`
+#
+#          ### Changelog
+#
+#          chore: promote older rules status from `experimental` to `test`
+#
+#          ### Example Log Event
+#
+#          N/A
+#
+#          ### Fixed Issues
+#
+#          N/A
+#
+#          ### SigmaHQ Rule Creation Conventions
+#          
+#          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
+#

.github/workflows/sigma-test.yml

@@ -62,7 +62,7 @@ jobs:
       run: |
         pip install pysigma
         pip install sigma-cli
-        pip install pySigma-validators-sigmahq==0.12.*
+        pip install pySigma-validators-sigmahq==0.20.*
     - name: Test Sigma Rule Syntax
       run: |
         sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*

…ux/builtin/lnx_space_after_filename_.yml …ated/linux/lnx_space_after_filename_.ymlrules/linux/builtin/lnx_space_after_filename_.yml renamed to deprecated/linux/lnx_space_after_filename_.yml rules/linux/builtin/lnx_space_after_filename_.yml renamed to deprecated/linux/lnx_space_after_filename_.yml

@@ -1,10 +1,10 @@
 title: Space After Filename
 id: 879c3015-c88b-4782-93d7-07adf92dbcb7
-status: test
+status: deprecated
 description: Detects space after filename
 author: Ömer Günal
 date: 2020-06-17
-modified: 2021-11-27
+modified: 2025-11-22
 tags:
     - attack.execution
     - attack.t1059

…ation_macos_malware_amos_filegrabber.yml …_macos_malware_amos_filegrabber_exec.ymlrules-emerging-threats/2025/Malware/filegrabber/proc_creation_macos_malware_amos_filegrabber.yml renamed to deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml rules-emerging-threats/2025/Malware/filegrabber/proc_creation_macos_malware_amos_filegrabber.yml renamed to deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml

@@ -1,12 +1,14 @@
-title: MacOS FileGrabber Infostealer
+title: Atomic MacOS Stealer - FileGrabber Infostealer Execution
 id: e710a880-1f18-4417-b6a0-b5afdf7e305a
-status: experimental
-description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
+status: deprecated
+description: |
+    Detects the execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
 references:
     - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
     - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
 author: Jason Phang Vern - Onn (Gen Digital)
 date: 2025-09-12
+modified: 2025-11-22
 tags:
     - attack.execution
     - attack.t1059.002

…n/proc_creation_win_filefix_browsers.yml …s/proc_creation_win_filefix_browsers.ymlrules/windows/process_creation/proc_creation_win_filefix_browsers.yml renamed to deprecated/windows/proc_creation_win_filefix_browsers.yml rules/windows/process_creation/proc_creation_win_filefix_browsers.yml renamed to deprecated/windows/proc_creation_win_filefix_browsers.yml

@@ -1,6 +1,6 @@
 title: FileFix - Suspicious Child Process from Browser File Upload Abuse
 id: 4be03877-d5b6-4520-85c9-a5911c0a656c
-status: experimental
+status: deprecated
 description: |
     Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
     where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
@@ -9,7 +9,7 @@ references:
     - https://mrd0x.com/filefix-clickfix-alternative/
 author: 0xFustang
 date: 2025-06-26
-modified: 2025-06-30
+modified: 2025-11-24
 tags:
     - attack.execution
     - attack.t1204.004