Recent releases for sigma

sigma v0.8.1

2013-07-04T21:30:36+00:00

Fix import in setup.py preventing 0.8.0 installs and a couple small fixes from Lukas Lueg and Isis Lovecruft

sigma v0.9.1

2014-01-20T19:32:24+00:00

I am pleased to announce that txtorcon v0.9.1 is now available. This release adds quite a few minor bug-fixes, simplifies GeoIP handling (with support for both pre- and post 0.3 pygeoip APIs), a tutorial-style walkthrough, the availability of a "wheel" distribution and uses "twine" to do the uploads (allowing me to actually test the signed tarball and whl files before uploading). Full list of improvements: - put test/ directory at the top level - using http://nedbatchelder.com/code/coverage tool instead of custom script - using coveralls.io and travis-ci.org for test coverage and continuous integration - issue #56: added Circuit.close() and Stream.close() starting from aagbsn's patch - parsing issues with multi-line keyword discovered and resolved - preserve router nicks from long-names if consensus lacks an entry (e.g. bridges) - using https://github.com/dstufft/twine for releases - "Wheel" release now also available - issue #57: "python setup.py develop" now supported - issue #59: if tor_launch() times out, Tor is properly killed (starting with pull-request from Ryman) - experimental docker.io-based tests (for HS listening, and tor_launch() timeouts) - issue #55: pubkey link on readthedocs - issue #63 - clean up GeoIP handling, and support pygeoip both pre and post 0.3 - slightly improve unit-test coverage (now at 97%, 61 lines out of 2031 missing) - added a walkthrough to the documentation sha256 sums for the distribution files: 68e21f719f6541448c0ec8e4a95787a0fe13452dd4086631ffdce79b47134e37 txtorcon-0.9.1.tar.gz b92fb5a767eeb3c3d1ec7626fb992d76c73f068e00e69bda51cdbbfc8868eba7 txtorcon-0.9.1-py27-none-any.whl Note that there are cryptographic signatures in the github repository, linked and hosted on readthedocs as well as via the hidden service. Also note that you did not miss out on 0.9.0; I screwed up the tarball upload to PyPI resulting in a signature mismatch and pypi doesn't let you re-upload a tarball. Thanks, meejah

sigma v0.9.2

2014-04-24T19:25:30+00:00

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am happy to announce that txtorcon v0.9.2 is now available. This release adds a few minor bug-fixes and a few API enhancements. Full details: - add on_disconnect callback for TorControlProtocol (no more monkey-patching Protocol API) - add age() method to Circuit - add time_created property to Circuit - don't incorrectly listen for NEWDESC events in TorState - add .flags dict to track flags in Circuit, Stream - build_circuit() can now take hex IDs (as well as Router instances) - add unique_name property to Router (returns the hex id, unless Named then return name) - add location property to Router - TorState.close_circuit now takes either a Circuit ID or Circuit instance - TorState.close_stream now takes either a Stream ID or Stream instance - support both GeoIP API versions - more test-coverage - small patch from enriquefynn improving tor binary locating - strip OK lines in TorControlProtocol (https://github.com/meejah/txtorcon/issues/8) - use TERM not KILL when Tor launch times out (https://github.com/meejah/txtorcon/pull/68>) from hellais - Unit-test coverage now at 98% sha256 sums for the distribution files: 93e934f83e3fc6fcf40e76f7c9c28459af04205fb912d384aaacb7ac5269bb8f dist/txtorcon-0.9.2-py2-none-any.whl fe90743cdc453002ad046aa6556b611b4e85b813ff92865769d3d27712c2ca47 dist/txtorcon-0.9.2.tar.gz There are also signatures on github and txtorcon.readthedocs.org You may download from github or the hidden service: https://github.com/meejah/txtorcon/releases/tag/v0.9.2 https://github.com/meejah/txtorcon/releases/download/v0.9.2/txtorcon-0.9.2-py2-none-any.whl https://github.com/meejah/txtorcon/releases/download/v0.9.2/txtorcon-0.9.2-py2-none-any.whl.asc https://github.com/meejah/txtorcon/releases/download/v0.9.2/txtorcon-0.9.2.tar.gz https://github.com/meejah/txtorcon/releases/download/v0.9.2/txtorcon-0.9.2.tar.gz.asc http://timaq4ygg2iegci7.onion/txtorcon-0.9.2.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.9.2.tar.gz.asc Source code: https://github.com/meejah/txtorcon/archive/v0.9.2.tar.gz Thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTWVf5AAoJEMJgKAMSgGmn07kIAKSwjBck76dyN1lWJj0fRl/f BevLpnp+rb+ge5hBAeKfsVTYciDBZeSo8/fE44wTNh5Qj9HEhFopVC4WF61rIFU+ 4IkpnFvfmVEd8Iu1vqQ/hFmP1jrvT8T+nTbaTGkcoCSPI+GyXkbxLqcl0Fncq51M M0OIRphyWA7EK3YoZ2Q1BOEIwsN0pwERYUhU0CGS45L7OZmyw86RXTMBZpBnNXrD 5VjQdpx8fvrV2iCRXi/k/e2Jy/xqs8o0I2+o9M6WrBiGCs5S9YbjsAKzRb7dsaBZ RlRAdKUjyzkquPl4K8E5ocDToB1hIGvqCSp7s11a5rq5T/jUiDMYrjkxIXH1Yg4= =W7+f -----END PGP SIGNATURE-----

sigma v0.10.0

2014-06-15T16:21:09+00:00

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm excited to announce txtorcon 0.10.0 which adds support for Twisted's endpoint strings. This means that ANY Twisted program that uses endpoints can accept "onion:" strings to bring up a hidden services easily (by launching a new Tor instance). Typically, no code changes to the application should be needed (just "pip install txtorcon"). "twistd" supports endpoints, so for example to serve some Web content from ~/public_html as a hidden-serivce, we can do this (with txtorcon installed): twistd web --port onion:80 --path ~/public_html Some examples of other valid "onion:" endpoint strings: onion:80:hiddenServiceDir=/dev/shm/hidsrv onion:80:controlPort=9050:hiddenServiceDir=/srv/hidden The first allows specifying existing hidden service keys and the second says to connect to an already-running Tor instance. Thanks to David Stainton (dawuud) for the initial pull-request (and continued collaboration) that made this happen. There is a complete demonstration of the power of this Fully Operational endpoint-station here: https://txtorcon.readthedocs.org/en/latest/howtos.html#endpoints-enable-tor-with-any-twisted-service You can download the release from PyPI or GitHub (or of course use "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.10.0 https://github.com/meejah/txtorcon/releases/tag/v0.10.0 sha256sum reports: 910ff3216035de0a779cfc167c0545266ff1f26687b163fc4655f298aca52d74 txtorcon-0.10.0-py2-none-any.whl c93f3d0f21d53c6b4c1521fc8d9dc2c9aff4a9f60497becea207d1738fa78279 txtorcon-0.10.0.tar.gz thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTnTM5AAoJEMJgKAMSgGmnB5EIAIJACHhd7PEWYfCZmB8lL1pr J4rrhUuXD1iI7zJJL/rmS/SZLL+34JoKke6iQsBRGYzU0GRK2JQkFAeMq++AMdMu QvoTg745OhnMSbZyCyS6buN/NhAVcmD3GYI9h8TK60jfUPEFn7+sDstMG4OePdgq X0QQHBuJq9XtDwEmRWFHq2Aht//7J2DUliPPjtwT3C4FhPT5pXxasvfQA4jOYxsO jTja6UE4/4TnonV5gB/chijp60cKvVxFQi86mKuNnVaKTZu+QCZFJtXkr/DbRSxv CJ+z7jJ9s8xhfQ5Nkv9pkVAreH6w9bemc/iijKlZmQGYvLBTsvISPATyWGtn1f4= =wIVZ -----END PGP SIGNATURE-----

sigma v0.10.1

2014-07-20T22:24:50+00:00

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, A new minor release of txtorcon exists, fixing a couple bugs introduced along with the endpoints feature in 0.10.0: - issue #78: Add tox tests and fix for Twisted 12.0.0 (and prior), as this is what Debian squeeze ships - issue #77: properly expand relative and tilde paths for hiddenServiceDir via endpoints - fix bug incorrectly issuing RuntimeError in brief window of time on event-listeners You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.10.1 https://github.com/meejah/txtorcon/releases/tag/v0.10.1 sha256sum reports: 33f04523329b14accb2054b81c5da887c28b402c797ba895dc1ee58824e107f1 txtorcon-0.10.1-py2-none-any.whl 7a6e8fab71fd05c223d866b60b998cf308661ef1fc87d94e06c3b51f4ada4a6a txtorcon-0.10.1.tar.gz thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEbBAEBAgAGBQJTzD25AAoJEMJgKAMSgGmnB8IH+MnRyCCKMgPJ2GjV01K+PVaU UgvUXhaqLdQUbViKeYy7KNst9d8Dm3ejHr21kedE8oeY/ztHlLdvtJtgWWvTOrTI qqh4wWfBVHeibSgsEzwNVdeJ3MtERPWuCrIkIWnathbVjfnkRW+cLPOtJUWtSi/d pdN4ZC+K1jBvSeHPCDhf8sXSqdzsOxXOWn/9SUaa70c7kMrbxjMxO1Jw/miqftMq /wo0vyXn4EeEdURa9hYFpUqgUbUFl6C1KiELNeHWtwGbGWku17bNgQn5HH7uY4/6 RODYBaAT327062m81ig7zQ6MmxKcngIG4Ic3qvJYeLerO/EnnNvzSs3Q+EGQeg== =nsEx -----END PGP SIGNATURE-----

sigma v0.11.0

2014-08-16T15:19:48+00:00

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 txtorcon 0.11.0 is now released. This adds a few API improvements: - launch_tor() allows access to stdout, stderr in real-time and control whether we kill Tor on and stderr output. See issue #79. - Warning about `build_circuit` being called without a guard first is now optional (default is still warn) (from arlolra) - available_tcp_port() now in util (from arlolra) - TorState now has a .routers_by_hash member (from arlolra) You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.11.0 https://github.com/meejah/txtorcon/releases/tag/v0.11.0 sha256sum reports: 5efb7ba4faf698e68daea3d8711ce0ecfd8b95501cbec00b2093dd99f72dc8cc txtorcon-0.11.0-py2-none-any.whl aa206ab8a31053fd34798659c3d4cd7354a3e6872a86065c55098866df3dcaca txtorcon-0.11.0-py2-none-any.whl.asc ecb7cc8ee002ead5481c17fd62576521862e93081c58d7118f53cf3c8817f857 txtorcon-0.11.0.tar.gz 76ee6983269347d475ff4df9aefb7c43ddd25d24dd67c4e3293f5c8557377652 txtorcon-0.11.0.tar.gz.asc txtorcon 0.10.1 is in Debian, and no doubt this release will migrate there quickly as usual (thanks to Lunar^) thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJT7vo4AAoJEMJgKAMSgGmnzjsH/36wtSA2Cb1coSuK+5hGNIGa flmGETgEOo4mHRCnSLQdO5JrXAKR9zeEt9tT9IfCTO1kRy4Q5cqzE569RhPsciBn 1g3fMlgXewjJuXx1atefO1sbqQgK74TsIqxkGnK85LEUOcqIcW71JT8lI6CDn3xg LymqLLhbC28uYLot+Y0/KPAME7MAlgugny5Me2sGzey1aKfjZhPXQ6gRJsGVlPjQ qhMD6ck9Xe+QZNkE4udzEzNkvA7Og/HJdwwi3yC/ENKcWKit/9PeKvmttVjyQ9Aj KGeN2CMA5jTHHznvohvAKgeUnkDDR4tqpcoKdJZjCVg9yAaaiNoPw2wj/3O3tTw= =elqw -----END PGP SIGNATURE-----

sigma v0.12.0

2015-02-03T21:16:06+00:00

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm pleased to announce txtorcon 0.12.0. Full list of improvements: - doc, code and import cleanups from Kali Kaneko - HiddenServiceDirGroupReadable support - Issue #80: honour "ControlPort 0" in incoming TorConfig instance. The caller owns both pieces: you have to figure out when it's bootstraped, and are responsible for killing it off. - Issue #88: clarify documentation and fix appending to some config lists - If GeoIP data isn't loaded in Tor, it sends protocol errors; if txtorcon also hasn't got GeoIP data, the queries for country-code fail; this error is now ignored. - 100% unit-test coverage! - PyPy support (as in: all tests pass) - TCP4HiddenServiceEndpoint now waits for descriptor upload before the listen() call does its callback (this means when using "onion:" endpoint strings, or any of the endpoints APIs your hidden service is 100% ready for action when you receive the callback) - "TorControlProtocol now has an ".all_routers" member, which is a set() of all Routers - TimeIntervalCommaList from Tor config supported - documentation fix from "sammyshj" You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.12.0 https://github.com/meejah/txtorcon/releases/tag/v0.12.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.12.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.12.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.13.0

2015-05-10T07:48:00+00:00

I'm pleased to announce txtorcon 0.13.0. This adds several amazing features, including levitation. Full list of improvements: - support basic and stealth hidden service authorization, and parse client_keys files. - 2x speedup for TorState parsing (mostly by lazy-parsing timestamps) - can now parse ~75000 microdescriptors/second per core of 3.4GHz Xeon E3 - launch_tor now doesn't use a temporary torrc (command-line options instead) - tons of pep8 cleanups - several improvements to hidden-service configuration from sambuddhabasu1 - populate valid signals from GETINFO signals/names from sambuddhabasu1 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.13.0 https://github.com/meejah/txtorcon/releases/tag/v0.13.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.13.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.13.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.15.0

2016-07-26T23:24:03+00:00

I'm happy to announce txtorcon 0.15.0: - added support for NULL control-port-authentication which is often appropriate when used with a UNIX domain socket - switched to https://docs.python.org/3/library/ipaddress.html instead of Google's ipaddr; the API should be the same from a user perspective but **packagers and tutorials** will want to change their instructions slightly (`pip install ipaddress` or `apt-get install python-ipaddress` are the new ways). - support the new ADD_ONION and DEL_ONION "ephemeral hidden services" commands in TorConfig - a first stealth-authentication implementation (for "normal" hidden services, not ephemeral) - bug-fix from https://github.com/david415 to raise ConnectionRefusedError instead of StopIteration when running out of SOCKS ports. - new feature from https://github.com/david415 adding a `build_timeout_circuit` method which provides a Deferred that callbacks only when the circuit is completely built and errbacks if the provided timeout expires. This is useful because :doc:`TorState.build_circuit` callbacks as soon as a Circuit instance can be provided (and then you'd use :doc:`Circuit.when_built` to find out when it's done building). - new feature from https://github.com/coffeemakr falling back to password authentication if cookie authentication isn't available (or fails, e.g. because the file isn't readable). - both TorState and TorConfig now have a `.from_protocol` class-method. - spec-compliant string-un-escaping from https://github.com/coffeemakr - fix https://github.com/meejah/txtorcon/issues/176 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.15.0 https://github.com/meejah/txtorcon/releases/tag/v0.15.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.15.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.15.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.16.1

2016-09-01T00:32:36+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm very happy to announce txtorcon 0.16.1 which adds a couple minor features to help support using Foolscap and Tahoe-LAFS over Tor. * issue 172: give TorProcessProtocol a .quit method * issue 181: enable SOCKS5-over-unix-sockets for TorClientEndpoint (thanks to "dawuud"). Also adds TLS support over SOCKS5. You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.16.1 https://github.com/meejah/txtorcon/releases/tag/v0.16.1 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.16.1.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.16.1.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.17.0

2016-10-04T21:50:00+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm pleased to announce txtorcon 0.17.0, largely to fix a bug with Unix-socket control-ports: * issue 187: fix unix-socket control endpoints * sometimes mapping streams to hostnames wasn't working properly * backwards-compatibility API for `socks_hostname` was incorrectly named You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.17.0 https://github.com/meejah/txtorcon/releases/tag/v0.17.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.17.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.17.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.18.0

2017-01-11T21:31:44+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 txtorcon 0.18.0 is released, improving error-reporting when you have SAFECOOKIE or COOKIE authentication turned on but can't read the file. * https://github.com/meejah/txtorcon/issues/200 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.18.0 https://github.com/meejah/txtorcon/releases/tag/v0.18.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.18.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.18.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.19.0

2017-04-21T06:27:19+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm very happy to release txtorcon 0.19.0. This merges most of the development that happened over the last several months on the release-1.x branch. Featuring: * Full Python3 support (and universal wheels) * Drop txsocksx and use a custom implementation (this also implements the custom Tor SOCKS5 methods RESOLVE and RESOLVE_PTR). Uses Automat for the state-machine. * Drop support for older Twisted releases (12, 13 and 14 are no longer supported). * Add a top-level API object (txtorcon.Tor) that abstracts a running Tor. Instances of this class are created with txtorcon.connect or txtorcon.launch. These instances are intended to be "the" high-level API and most users shouldn't need anything else. * Integrated support for twisted.web.client.Agent, baked into txtorcon.Tor. This allows simple, straightforward use of treq or "raw" twisted.web.client for making client-type Web requests via Tor. Automatically handles configuration of SOCKS ports. * new high-level API for putting streams on specific Circuits. This adds txtorcon.Circuit.stream_via and txtorcon.Circuit.web_agent methods that work the same as the "Tor" equivalent methods except they use a specific circuit. This makes txtorcon.TorState.set_attacher the "low-level" / "expert" interface. Most users should only need the new API. * big revamp / re-write of the documentation, including the new Programming Guide: https://txtorcon.readthedocs.io/en/latest/guide.html * Issue 203: https://github.com/meejah/txtorcon/issues/203 * new helper: txtorcon.Router.get_onionoo_details which downloads JSON for a particular relay from OnionOO * new helper: txtorcon.util.create_tbb_web_headers which returns headers resembling a recent Tor Browser suitable for use with Twisted or treq web agents. * Issue 72: https://github.com/meejah/txtorcon/issues/72 * Specific SocksError subclasses for all the available SOCKS5 errors added by https://github.com/felipedau * (more) Python3 fixes from https://github.com/rodrigc You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.19.0 https://github.com/meejah/txtorcon/releases/tag/v0.19.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.19.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.19.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.19.1

2017-04-27T05:36:26+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately, there was a regression in launch_tor() in 0.19.0 which is fixed by releasing 0.19.1 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.19.1 https://github.com/meejah/txtorcon/releases/tag/v0.19.1 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.19.1.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.19.1.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.19.3

2017-05-24T07:19:28+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fixing another regression, 0.19.3 causes txtorcon to (once again) correctly work with SocksPort lines containing unix socket options when used with txtorcon.connect(). Thas bug was introduced in 0.19.0 which reduced the number of GETINFO and GETCONF calls (to help filtering-proxies). You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.19.3 https://github.com/meejah/txtorcon/releases/tag/v0.19.3 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.19.3.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.19.3.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v0.20.0

2018-02-23T00:29:44+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm very happy to release txtorcon 0.20.0. This includes a few minor new features and an important bug fix if you're using a Tor new enough to have all the *PortLines changes (anything after 0.3.0.6; see Tor issue #20956). Full list of changes: * doc fixes (from hotelzululima) * Issue 246: fix endpoints so .connect on them works properly more than once (from Brian Warner) * allow a CertificateOptions to be passed as tls= to endpoints * PR 252: add method txtorcon.Tor.is_ready * PR 252: add method txtorcon.Tor.become_ready * PR 253: fix handling of certain defaults (*PortLines and friends) * fix last router (usually) missing with (new) `MicroDescriptorParser` * use OnionOO via Onion service tgel7v4rpcllsrk2.onion for txtorcon.Router.get_onionoo_details * fix parsing of Router started-times * Issue 255: removed routers always deleted following NEWCONSENSUS * Issue 279: remember proxy endpoint if it was Deferred You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.20.0 https://github.com/meejah/txtorcon/releases/tag/v0.20.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.20.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.20.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.0.0

2018-06-26T03:39:18+00:00

I'm very pleased to announce txtorcon 18.0.0. This introduces a new Onion services API (including v3 support) and a bunch of other changes (including a new versioning scheme). Starting now, versioning is more Twisted-like: the first number is the year, the second is the "release in that year" and the minor number is for bug-fixes. No backwards-incompatible changes will occur without first being deprecated for at least one full release (this has been my practice anyway, so using "SemVer" no longer made sense). The documentation is updated with all the new Onion APIs, and a full list of changes follows: * await_all_uploads= option when creating Onions * properly re-map progress percentages (including descriptor uploads) * properly wait for all event-listeners during startup * re-work how TorState.event_map works, hopefully reducing reproducible-builds issues * TorControlProtocol.add_event_listener and TorControlProtocol.remove_event_listener are now async methods returning Deferred -- they always should have been; new code can now be assured that the event-listener change is known to Tor by awaiting this Deferred. * TorControlProtocol.get_conf_single method added, which gets and returns (asynchronously) a single GETCONF key (instead of a dict) * also TorControlProtocol.get_info_single similar to above * if Tor disconnects while a command is in-progress or pending, the .errback() for the corresponding Deferred is now correctly fired (with a TorDisconnectError) * tired: get_global_tor() (now deprecated) wired: txtorcon.get_global_tor_instance * Adds a comprehensive set of Onion Services APIs (for all six variations). For non-authenticated services, instances of IOnionService represent services; for authenticated services, instances of IAuthenticatedOnionClients encapsulated named lists of clients (each client is an instance implementing IOnionService). * Version 3 ("Proposition 279") Onion service support (same APIs) as released in latest Tor * Four new methods to handle creating endpoints for Onion services (either ephemeral or not and authenticated or not): * Tor.create_authenticated_onion_endpoint * Tor.create_authenticated_filesystem_onion_endpoint * Tor.create_onion_endpoint * Tor.create_filesystem_onion_endpoint * see create_onion for information on how to choose an appropriate type of Onion Service. * Tor.create_onion_service to add a new ephemeral Onion service to Tor. This uses the ADD_ONION command under the hood and can be version 2 or version 3. Note that there is an endpoint-style API as well so you don't have to worry about mapping ports yourself (see below). * Tor.create_filesystem_onion_service to add a new Onion service to Tor with configuration (private keys) stored in a provided directory. These can be version 2 or version 3 services. Note that there is an endpoint-style API as well so you don't have to worry about mapping ports yourself (see below). * Additional APIs to make visiting authenticated Onion services as a client easier: * Tor.add_onion_authentication will add a client-side Onion service authentication token. If you add a token for a service which already has a token, it is an error if they don't match. This corresponds to HidServAuth lines in torrc. * Tor.remove_onion_authentication will remove a previously added client-side Onion service authentication token. Fires with True if such a token existed and was removed or False if no existing token was found. * Tor.onion_authentication (Python3 only) an async context-manager that adds and removes an Onion authentication token (i.e. adds in on __aenter__ and removes it on __aexit__). Allows code like: * onion services support listening on Unix paths. * make sure README renders on Warehouse/PyPI You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.0.0 https://github.com/meejah/txtorcon/releases/tag/v18.0.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.0.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.0.0.tar.gz.asc ...and now also available via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.0.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.0.1

2018-07-02T05:37:18+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Unfortunately there was a problem when parsing onion services on Python2, which is fixed by txtorcon 18.0.1 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.0.1 https://github.com/meejah/txtorcon/releases/tag/v18.0.1 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.0.1.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.0.1.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.1.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.1.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.0.2

2018-07-02T18:50:41+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Python3.4 doesn't support async-def or await, but the guards being used only accounted for Python2 -- this is fixed by txtorcon 18.0.2 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.0.2 https://github.com/meejah/txtorcon/releases/tag/v18.0.2 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.0.2.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.0.2.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.2.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.0.2.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.1.0

2018-09-27T02:40:41+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm very pleased to announce txtorcon 18.1.0. This adds or fixes the following: * better error-reporting (include REASON and REMOTE_REASON if available) when circuit-builds fail (thanks David Stainton) * more-robust detection of "do we have Python3" (thanks Balint Reczey) * fix parsing of Unix-sockets for SOCKS * better handling of concurrent Web agent requests before SOCKS ports are known * allow fowarding to ip:port pairs for Onion services when using the "list of 2-tuples" method of specifying the remote vs local connections. You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.1.0 https://github.com/meejah/txtorcon/releases/tag/v18.1.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.1.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.1.0.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.1.0.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.1.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.2.0

2018-10-05T00:15:53+00:00

``` I'm glad to announce txtorcon 18.2.0. This adds or fixes the following: * add `privateKeyFile=` option to endpoint parser (ticket 313) * use `privateKey=` option properly in endpoint parser * support `NonAnonymous` mode for `ADD_ONION` via `single_hop=` kwarg You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.2.0 https://github.com/meejah/txtorcon/releases/tag/v18.2.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.2.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.2.0.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.2.0.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.2.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v18.3.0

2018-10-05T23:13:38+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hot on the heels of 18.2.0 comes 18.3.0 because I forgot to add the "single_hop=" feature to endpoint-strings: * add `singleHop={true,false}` for endpoint-strings as well You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/18.3.0 https://github.com/meejah/txtorcon/releases/tag/v18.3.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-18.3.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-18.3.0.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.3.0.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-18.3.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma v19.0.0

2019-01-16T05:17:08+00:00

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm happy to announce txtorcon 19.0.0, containing the following changes: * add TorControlProtocol.when_disconnected (will replace .on_disconnect) * add detach= kwarg to Tor.create_onion_service * add purpose= kwarg to TorState.build_circuit You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/19.0.0 https://github.com/meejah/txtorcon/releases/tag/v19.0.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-19.0.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-19.0.0.tar.gz.asc Or via a "version 3" service: http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-19.0.0.tar.gz http://fjblvrw2jrxnhtg67qpbzi45r7ofojaoo3orzykesly2j3c2m3htapid.onion/txtorcon-19.0.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <

sigma 0.14

2019-11-29T15:22:34+00:00

### Added * `sigma-similarity` tool * LimaCharlie backend * Default configurations for some backends that are used if no configuration is passed * Regular expression support for `es-dsl` backend (propagates to backends derived from this like elastalert-dsl) * Value modifiers: * `startswith` * `endswith` ### Changed * Removal of line breaks in elastalert output * Searches not bound to fields are restricted to keyword fields in `es-qs` backend * Graylog backend now based on `es-qs` backend ### Fixed * Removed `ProcessCommandLine` mapping for Windows Security EventID 4688 in generic process creation log source configuration

sigma 0.13

2019-11-29T23:36:51+00:00

### Added * Index mappings for Sumologic * Malicious cmdlets in `wdatp` * QRadar support for keyword searches * QRadar mapping improvements * QRadar field selection * QRadar type regex modifier support * Elasticsearch keyword field blacklisting with wildcards * Added dateField configuration parameter in `xpack-watcher` backend * Field mappings in configurations * Field name mapping for conditional fields * Value modifiers: * `utf16` * `utf16le` * `wide` * `utf16be` ### Changed * Improved --backend-config help text ### Fixed * Backend errors in `ala` * Slash escaping within `es-dsl` wildcard queries * QRadar backend config * QRadar field name and value escaping and handling * Elasticsearch wildcard detection pattern * Aggregation on keyword field in `es-dsl` backend

sigma 0.12.1

2019-11-29T23:37:35+00:00

### Fixed * Missing build dependency

sigma 0.12

2019-11-29T23:41:24+00:00

### Added * Usage of `Channel` field in ELK Windows configuration * Fields to mappings * `xpack-watcher` actions index and webhook * Config for Winlogbeat 7.x * Value modifiers * `contains` * `alt` * `base64` * `base64offset` * `re` * Regular expression support with value modifier `re` ### Changed * Warning/error messages * Sumologic value cleaning * Explicit OR for Elasticsearch query strings * Listing of available configurations on missing configuration error ### Fixed * Conditions in `es-dsl` backend * Sumologic handling of null values * Ignore timeframe detection keyword in all/any of conditions

sigma 0.15.0

2019-12-06T22:56:47+00:00

### Added * sigma-uuid tool for addition and check of Sigma rule identifiers * Default configurations * Restriction of compared rules in sigma-similarity * Regular expression support in es-dsl backend * LimaCharlie support for proxy rule category * Source distribution for PyPI ### Changed * Type errors are now ignored with -I ### Fixed * Removed wrong mapping of CommandLine field mapping in THOR config

sigma 0.16.0

2020-02-25T21:30:52+00:00

### Added * Proxy field names to ECS mapping (ecs-proxy) configuration * False positives metadata to LimaCharlie backend * Additional aggregation capabilitied for es-dsl backend. * Azure log analytics rule backend (ala-rule) * SQL backend * Splunk Zeek sourcetype mapping config * sigma2attack script * Carbon Black backend and configuration * ArcSight ESM backend * Elasticsearch detection rule backend ### Changed * Kibana object id is now Sigma rule id if available. Else the old naming scheme is used. * sigma2misp: replacement of deprecated method usage. * Various configuration updates * Extended ArcSight mapping ### Fixed * Fixed aggregation queries for Elastalert backend * Fixed aggregation queries for es-dsl backend * Backend and configuration lists are sorted. * Escaping in ala backend

sigma 0.17.0

2020-06-12T23:28:53+00:00

### Added * LOGIQ Backend (logiq) * CarbonBlack backend (carbonblack) and field mappings * Elasticsearch detection rule backend (es-rule) * ee-outliers backend * CrowdStrike backend (crowdstrike) * Humio backend (humio) * Aggregations in SQL backend * SQLite backend (sqlite) * AWS Cloudtrail ECS mappings * Overrides * Zeek configurations for various backends * Case-insensitive matching for Elasticsearch * ECS proxy mappings * RuleName field mapping for Winlogbeat * sigma2attack tool ### Changed * Improved usage of keyword fields for Elasticsearch-based backends * Splunk XML backend rule titles from sigma rule instead of file name * Moved backend option list to --help-backend * Microsoft Defender ATP schema improvements ### Fixed * Splunx XML rule name is now set to rule title * Backend list deduplicated * Wrong escaping of wildcard at end of value when startswith modifier is used. * Direct execution of tools on Windows systems by addition of script entry points

sigma 0.18.1

2020-08-25T22:10:35+00:00

Note regarding version 0.18.1: release created for technical reasons (issues with extended README and PyPI), no real changes done to 0.18.0. ### Added * C# backend * STIX backend * Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other) * More generic log sources * Windows Defender log sources * Generic DNS query log source * AppLocker log source ### Changed * Improved backend and configuration descriptions * Microsoft Defender ATP mapping updated * Improved handling of wildcards in Elastic backends ### Fixed * Powershell backend: key name was incorrectly added into regular expression * Grouping issue in Carbon Black backend * Handling of default field mapping in case field is referenced multiple from a rule * Code cleanup and various fixes * Log source mappings in configurations * Handling of conditional field mappings by Elastic backends

sigma 0.19

2021-02-28T20:44:55+00:00

### Added * New parameters for Elastic backends * Various field mappings * FireEye Helix backend * Generic log source image_load * Kibana NDJSON backend * uberAgent ESA backend * SumoLogic CSE backend ### Changed * Updated mdatp backend fields * QRadar query generation optimized * MDATP: case insensitive search ### Fixed * Fixing Qradar implementation for create valid AQL queries * Nested conditions * Various minor bug fixes

sigma 0.19.1

2021-02-28T20:52:15+00:00

### Changed * Added LGPL license to distribution

sigma 0.20

2021-08-13T22:35:30+00:00

### Added * Devo backend * Fields selection added to SQL backend * Linux/MacOS support for MDATP backend * Output results as generic YAML/JSON * Hash normalization option (hash_normalize) for Elasticsearch wildcard handling * ALA AWS Cloudtrail and Azure mappings * Logrhytm backend * Splunk Data Models backend * Further log sources used in open source Sigma ruleset * CarbonBlack EDR backend * Elastic EQL backend * Additional conversion selection filters * Filter negation * Specifiy table in SQL backend * Generic registry event log source * Chronicle backend ### Changed * Elastic Watcher backend populates name attribute instead of title. * One item list optimization. * Updated Winlogbeat mapping * Generic mapping for Powershell backend ### Fixed * Elastalert multi output file * Fixed duplicate output in ElastAlert backend * Escaping in Graylog backend * es-rule ndjson output * Various fixes of known bugs

sigma 0.21

2022-04-08T22:55:46+00:00

# Added * Azure Sentinel backend * OpenSearch Monitor backend * Hawk backend * Datadog backend * FortiSIEM backend * Lacework agent data support * Athena SQL backend * Regex support in SQLite backend * Additional field mappings # Changed * Log source refactoring # Fixed * Mapping fixes * Various bugfixes * Disabled problematic optimization

sigma r2023-10-09

2023-10-09T10:04:46+00:00

### New Rules - new: ADS Zone.Identifier Deleted - new: ADS Zone.Identifier Deleted By Uncommon Application - new: AWS Identity Center Identity Provider Change - new: Access To .Reg/.Hive Files By Uncommon Application - new: Activity From Anonymous IP Address - new: AddinUtil.EXE Execution From Uncommon Directory - new: Anomalous User Activity - new: Application Terminated Via Wmic.EXE - new: Atypical Travel - new: Azure AD Account Credential Leaked - new: Azure AD Threat Intelligence - new: Browser Execution In Headless Mode - new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File - new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - new: CVE-2023-40477 Potential Exploitation - .REV File Creation - new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash - new: Chromium Browser Headless Execution To Mockbin Like Site - new: DMP/HDMP File Creation - new: DarkGate User Created Via Net.EXE - new: Disabling Multi Factor Authenication - new: Diskshadow Child Process Spawned - new: Diskshadow Script Mode - Execution From Potential Suspicious Location - new: Diskshadow Script Mode - Uncommon Script Extension Execution - new: ESXi Account Creation Via ESXCLI - new: ESXi Admin Permission Assigned To Account Via ESXCLI - new: ESXi Network Configuration Discovery Via ESXCLI - new: ESXi Storage Information Discovery Via ESXCLI - new: ESXi Syslog Configuration Change Via ESXCLI - new: ESXi System Information Discovery Via ESXCLI - new: ESXi VM Kill Via ESXCLI - new: ESXi VM List Discovery Via ESXCLI - new: ESXi VSAN Information Discovery Via ESXCLI - new: Hypervisor Enforced Code Integrity Disabled - new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols - new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI - new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 - new: Impossible Travel - new: Invalid PIM License - new: LOL-Binary Copied From System Directory - new: LSASS Dump Keyword In CommandLine - new: Malicious Driver Load - new: Malicious Driver Load By Name - new: Malicious IP Address Sign-In Failure Rate - new: Malicious IP Address Sign-In Suspicious - new: Network Connection Initiated By AddinUtil.EXE - new: New Country - new: New Federated Domain Added - new: Okta Identity Provider Created - new: Okta New Admin Console Behaviours - new: Okta Suspicious Activity Reported by End-user - new: Okta User Session Start Via An Anonymising Proxy Service - new: Old TLS1.0/TLS1.1 Protocol Version Enabled - new: Password Spray Activity - new: Potentially Suspicious Child Process Of DiskShadow.EXE - new: Potentially Suspicious Child Process Of WinRAR.EXE - new: Potentially Suspicious DMP/HDMP File Creation - new: Potentially Suspicious Electron Application CommandLine - new: Primary Refresh Token Access Attempt - new: Remote Access Tool - ScreenConnect Command Execution - new: Remote Access Tool - ScreenConnect File Transfer - new: Remote Access Tool - ScreenConnect Remote Command Execution - new: Remote Access Tool - ScreenConnect Temporary File - new: Remote DLL Load Via Rundll32.EXE - new: Renamed CURL.EXE Execution - new: Roles Activated Too Frequently - new: Roles Activation Doesn't Require MFA - new: Roles Are Not Being Used - new: Roles Assigned Outside PIM - new: SAML Token Issuer Anomaly - new: Sign-In From Malware Infected IP - new: Stale Accounts In A Privileged Role - new: Suspicious AddinUtil.EXE CommandLine Execution - new: Suspicious Browser Activity - new: Suspicious Inbox Forwarding Identity Protection - new: Suspicious Inbox Manipulation Rules - new: Too Many Global Admins - new: Uncommon AddinUtil.EXE CommandLine Execution - new: Uncommon Child Process Of AddinUtil.EXE - new: Unfamiliar Sign-In Properties - new: VMMap Signed Dbghelp.DLL Potential Sideloading - new: Vulnerable Driver Load - new: Vulnerable Driver Load By Name ### Updated Rules - update: 7Zip Compressing Dump Files - Increase coverage - update: 7Zip Compressing Dump Files - Reduce level - update: Access To Browser Credential Files By Uncommon Application - update: Access To Windows Credential History File By Uncommon Application - update: Access To Windows DPAPI Master Keys By Uncommon Application - update: Added some bypass methods used by SQLI Injectors. - update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium` - update: COM Hijack via Sdclt - Fix Logic - update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage - update: Creation of an Executable by an Executable - Fix FP - update: Credential Manager Access By Uncommon Application - update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium` - update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium` - update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium` - update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata - update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains - update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low` - update: DNS Query To Ufile.io - Update title and reduce level to `low` - update: DNS Query Tor .Onion Address - Sysmon - Update title - update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters - update: Detects path traversal exploitation attempts - Increase coverage - update: Detects sql injection exploitation attempts - Increase coverage - update: Diskshadow Script Mode Execution - update: DriverQuery.EXE Execution - Increase coverage - update: File Download From Browser Process Via Inline Link - update: Fsutil Suspicious Invocation - add "setZeroData" coverage - update: Greedy File Deletion Using Del - Increase coverage - update: LOLBIN Execution From Abnormal Drive - update: LSASS Memory Dump File Creation - Deprecated - update: LSASS Process Memory Dump Files - Add `PPLBlade` default dump file indicator - update: Leviathan Registry Key Activity - Fix logic - update: Linux Network Service Scanning - Auditd - Update coverage to add `ncat` and `nc.openbsd` - update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update - update: New Federated Domain Added - Exchange - update: New Firewall Rule Added In Windows Firewall Exception List - update logic - update: Non Interactive PowerShell Process Spawned - Increase coverage - update: Ntdsutil Abuse - Update ATT&CK tags - update: OceanLotus Registry Activity - Fix Logic - update: Office Application Startup - Office Test - Fix Logic - update: OneNote Attachment File Dropped In Suspicious Location - Fix FP - update: Potential Browser Data Stealing - Increase coverage with more browsers - update: Potential Dead Drop Resolvers - Increase coverage with new domains - update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic - update: Potential Persistence Via COM Search Order Hijacking - Fix Logic - update: Potential Process Hollowing Activity - Update FP filters - update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage - update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium` - update: Potentially Suspicious Compression Tool Parameters - update: Potentially Suspicious Event Viewer Child Process - Update metadata - update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level - update: PowerShell Initiated Network Connection - Update description - update: PowerShell Module File Created By Non-PowerShell Process - Fix FP - update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium` - update: Python Image Load By Non-Python Process - Update description and title - update: Python Initiated Connection - Update FP filter - update: Qakbot Uninstaller Execution - add new hashes - update: Remote Thread Creation By Uncommon Source Image - Update FP filter - update: Renamed AutoIt Execution - Increase coverage - update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations - update: Suspicious Child Process Of Manage Engine ServiceDesk - update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage - update: Suspicious Copy From or To System Directory - Add new folder "WinSxS" - update: Suspicious Electron Application Child Processes - Increase coverage - update: Suspicious Scripting in a WMI Consumer - update logic - update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title - update: Sysinternals Tools AppX Versions Execution - Reduce level to `low` - update: Sysmon Blocked Executable - Update logsource - update: UAC Bypass via Event Viewer - Fix Logic - update: UNC2452 Process Creation Patterns - Fix logic - update: Usage Of Malicious POORTRY Signed Driver - Deprecated - update: VMMap Unsigned Dbghelp.DLL Potential Sideloading - update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated - update: Vulnerable Dell BIOS Update Driver Load - Deprecated - update: Vulnerable Driver Load By Name - Deprecated - update: Vulnerable GIGABYTE Driver Load - Deprecated - update: Vulnerable HW Driver Load - Deprecated - update: Vulnerable Lenovo Driver Load - Deprecated - update: WebDav Client Execution Via Rundll32.EXE - update: Windows Update Error - Reduce level to `informational` and status to `stable` - update: Winrar Compressing Dump Files - Increase Coverage - update: Winrar Execution in Non-Standard Folder - update: Wscript Execution from Non C Drive - Deprecated ### Fixed Rules - fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic - fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore - fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe - fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder - fix: Potential Dead Drop Resolvers - FP with chrome/FF being installed in appdata - fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer - fix: Search-ms and WebDAV Suspicious Indicators in URL - use explicit CIDR notation for loopback - fix: Suspicious Elevated System Shell - fix: Suspicious Elevated System Shell - False positives during updates presumably - fix: Suspicious Elevated System Shell - False positives from CompatTelRunner - fix: Suspicious Elevated System Shell - update FP for improved script that causes a FP - fix: Suspicious Epmap Connection - FP with unknown process - fix: Suspicious Epmap Connection - Fix false positives found with null and empty values - fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service - fix: Suspicious Sysmon as Execution Parent - Add null value edge case ### Acknowledgement Thanks to @alwashali, @cyb3rjy0t, @frack113, @gleeiamglo, @GtUGtHGtNDtEUaE, @kelnage, @kidrek, @MarkMorow, @Mladia, @nasbench, @Neo23x0, @phantinuss, @redteampanda-ng, @RobertSchull, @sanjay900, @securepeacock, @SILJAEUROPA, @ThureinOo, @tjgeorgen, @Uglybeard, @veramine, @wagga40, @WTFender for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

sigma r2023-10-23

2023-10-23T09:54:16+00:00

### New Rules - new: BlueSky Ransomware Artefacts - new: Certificate Use With No Strong Mapping - new: DarkGate - Autoit3.EXE Execution Parameters - new: DarkGate - Autoit3.EXE File Creation By Uncommon Process - new: File Download From IP Based URL Via CertOC.EXE - new: File Download From IP URL Via Curl.EXE - new: HackTool - CoercedPotato Execution - new: HackTool - CoercedPotato Named Pipe Creation - new: LSASS Process Memory Dump Creation Via Taskmgr.EXE - new: Lazarus APT DLL Sideloading Activity - new: MSSQL Server Failed Logon - new: MSSQL Server Failed Logon From External Network - new: Mail Forwarding/Redirecting Activity In O365 - new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader - new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI - new: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy - new: Potential Information Discolosure CVE-2023-43261 Exploitation - Web - new: PowerShell Script Execution Policy Enabled - new: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly - new: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly ### Updated Rules - update: ADSI-Cache File Creation By Uncommon Tool - update: Alternate PowerShell Hosts Pipe - update: Arbitrary File Download Via GfxDownloadWrapper.EXE - update: DarkGate - User Created Via Net.EXE - update: File Download via CertOC.EXE - update: Files With System Process Name In Unsuspected Locations - update: PSScriptPolicyTest Creation By Uncommon Process - update: Potential PowerShell Execution Policy Tampering - update: Potential Webshell Creation On Static Website - Increase coverage with new extensions. - update: Potentially Suspicious Office Document Executed From Trusted Location - update: PowerShell Module File Created By Non-PowerShell Process - update: PowerShell Profile Modification - update: Remote Thread Creation By Uncommon Source Image - update: Remote Thread Creation In Uncommon Target Image - update: Renamed CURL.EXE Execution - Extended filter - update: Suspicious File Download From IP Via Curl.EXE - update: Suspicious LNK Double Extension File Created ### Fixed Rules - fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules - fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules - fix: Control Panel Items - FP with command line observed from taskhost.exe - fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters - fix: Direct Syscall of NtOpenProcess - falsepositives meta data - fix: Execution of Suspicious File Type Extension - FP with OpenOffice - fix: Google Workspace Application Removed - Update logsource product field to `gcp` - fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp` - fix: Google Workspace MFA Disabled - Update logsource product field to `gcp` - fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp` - fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp` - fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp` - fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules - fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules - fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll - fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder - fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules - fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter - fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter - fix: Suspicious Elevated System Shell - FP with Avira update utility - fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter - fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost - fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception - fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception ### Acknowledgement Thanks to @frack113, @netgrain, @cyb3rjy0t, @greg-workspace, @mbabinski, @nasbench, @Neo23x0, @phantinuss, @swachchhanda000, @ThureinOo, @br4dy5 for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).

sigma r2023-11-06

2023-11-06T16:30:26+00:00

### New Rules - new: AWS S3 Bucket Versioning Disable - new: DNS Query To Devtunnels And VsCode Tunnels - new: Diamond Sleet APT DLL Sideloading Indicators - new: Diamond Sleet APT DNS Communication Indicators - new: Diamond Sleet APT File Creation Indicators - new: Diamond Sleet APT Process Activity Indicators - new: Diamond Sleet APT Scheduled Task Creation - new: Diamond Sleet APT Scheduled Task Creation - Registry - new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback - new: Exploitation Indicators Of CVE-2023-20198 - new: New Okta User Created - new: Okta 2023 Breach Indicator Of Compromise - new: Okta Admin Functions Access Through Proxy - new: Okta Password Health Report Query - new: Onyx Sleet APT File Creation Indicators - new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE - new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE - new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE - new: Renamed Visual Studio Code Tunnel Execution - new: Renamed VsCode Code Tunnel Execution - File Indicator - new: Security Tools Keyword Lookup Via Findstr.EXE - new: Suspicious Unsigned Thor Scanner Execution - new: Visual Studio Code Tunnel Execution - new: Visual Studio Code Tunnel Remote File Creation - new: Visual Studio Code Tunnel Service Installation - new: Visual Studio Code Tunnel Shell Execution - new: VsCode Code Tunnel Execution File Indicator ### Updated Rules - update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection - update: Antivirus Relevant File Paths Alerts - update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs - update: Delete Volume Shadow Copies Via WMI With PowerShell - update: Dump Ntds.dit To Suspicious Location - update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations - update: HackTool - CrackMapExec - Fix logic - update: Linux HackTool Execution - Increase coverage by adding more tools - update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools - update: MSI Installation From Suspicious Locations - update: Malware User Agent - Increase UAs coverage - update: Netcat The Powershell Version - update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic - update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic - update: Okta New Admin Console Behaviours - Field notation - update: Port Forwarding Activity Via SSH.EXE - Increase coverage - update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title - update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title - update: Potential Okta Password in AlternateID Field - Field notation - update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding `/q` switch - update: Potentially Suspicious Cabinet File Expansion - Increase coverage - update: Potentially Suspicious Child Process Of VsCode - update: PowerShell Called from an Executable Version Mismatch - update: PowerShell Downgrade Attack - PowerShell - update: PowerShell Profile Modification - Reduce rule level to medium - update: Recon Command Output Piped To Findstr.EXE - Logic re-write - update: Registry Persistence via Service in Safe Mode - Fix typo in title - update: Remote PowerShell Session (PS Classic) - update: Renamed Powershell Under Powershell Channel - update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental - update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage - update: Suspicious Non PowerShell WSMAN COM Provider - update: Suspicious PowerShell Download - update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage - update: Suspicious XOR Encoded PowerShell Command Line - PowerShell - update: Tamper Windows Defender - PSClassic - update: Uncommon PowerShell Hosts - update: Use Get-NetTCPConnection - update: Weak or Abused Passwords In CLI - Increase coverage - update: Zip A Folder With PowerShell For Staging In Temp - PowerShell ### Fixed Rules - fix: Creation of an Executable by an Executable - fix: File or Folder Permissions Modifications - fix: Import New Module Via PowerShell CommandLine - fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource - fix: Potential System DLL Sideloading From Non System Locations - fix: Process Terminated Via Taskkill - fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers - fix: Suspicious Sysmon as Execution Parent - Typo and restructure - fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue ### Acknowledgement Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).

sigma r2023-11-20

2023-11-20T17:02:59+00:00

### New Rules - new: Arbitrary File Download Via IMEWDBLD.EXE - new: Arbitrary File Download Via MSEDGE_PROXY.EXE - new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e" - new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) - new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) - new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) - new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) - new: CVE-2023-46747 Exploitation Activity - Proxy - new: CVE-2023-46747 Exploitation Activity - Webserver - new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1 - new: EventLog Query Requests By Builtin Utilities - new: F5 BIG-IP iControl Rest API Command Execution - Proxy - new: F5 BIG-IP iControl Rest API Command Execution - Webserver - new: Insenstive Subfolder Search Via Findstr.EXE - new: Lace Tempest Cobalt Strike Download - new: Lace Tempest File Indicators - new: Lace Tempest Malware Loader Execution - new: Lace Tempest PowerShell Evidence Eraser - new: Lace Tempest PowerShell Launcher - new: Msxsl.EXE Execution - new: Network Connection Initiated To DevTunnels Domain - new: Network Connection Initiated To Visual Studio Code Tunnels Domain - new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp - new: Potential File Download Via MS-AppInstaller Protocol Handler - new: Remote File Download Via Findstr.EXE - new: Remote XSL Execution Via Msxsl.EXE - new: Windows Defender Exclusion Deleted - new: Windows Defender Exclusion List Modified - new: Windows Defender Exclusion Reigstry Key - Write Access Requested ### Updated Rules - update: APT User Agent - adding user agent associated with PlugX backdoor. - update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title - update: Arbitrary File Download Via MSOHTMED.EXE - Update title - update: Arbitrary File Download Via PresentationHost.EXE - Update title - update: Communication To Ngrok Domains - Additional ngrok domains - update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other. - update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely `NoDispCPL` and `NoDispBackground` - update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" - update: File Download And Execution Via IEExec.EXE - Update title and description - update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list - update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1" - update: File Download Via InstallUtil.EXE - Update title and description - update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection - update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage - update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage - update: ISO Image Mounted - Update title and add new filter - update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage - update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title - update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic - update: Office Application Startup - Office Test - Add missing `contains` modifier - update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage - update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values - update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities - update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes - update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions. - update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives - update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c" - update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters - update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage - update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage - update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage - update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs - update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage - update: Suspicious Appended Extension - Enhance list of extension - update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions - update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones - update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs - update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage - update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enhance false positives filters - update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match - update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones - update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description - update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0" - update: smbexec.py Service Installation - align with new smbexec release ### Removed / Deprecated Rules - remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 - remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 ### Fixed Rules - fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments - fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge - fix: Execute Code with Pester.bat - Fix a non escaped wildcard ? - fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery - fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg - fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives - fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs - fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk - fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty - fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process - fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. ### Acknowledgement Thanks to @AaronS97, @alwashali, @celalettin-turgut, @CrimpSec, @deFr0ggy, @frack113, @fukusuket, @longmdx, @lsoumille, @mezzofix, @michaelpeacock, @mtnmunuklu, @nasbench, @Neo23x0, @netgrain, @phantinuss, @qasimqlf, @rkmbaxed, @swachchhanda000, @ThureinOo, @vj-codes, @YamatoSecurity for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).

sigma r2023-12-04

2023-12-04T16:59:46+00:00

### New Rules - new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - new: Chromium Browser Instance Executed With Custom Extension - new: Credential Dumping Activity By Python Based Tool - new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code - new: HackTool - Generic Process Access - new: HackTool - WinPwn Execution - new: HackTool - WinPwn Execution - ScriptBlock - new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace - new: Load Of RstrtMgr DLL From Suspicious Process - new: Load Of RstrtMgr.DLL By An Uncommon Process - new: New Netsh Helper DLL Registered From A Suspicious Location - new: Potential CVE-2023-46214 Exploitation Attempt - new: Potential Linux Process Code Injection Via DD Utility - new: Potential Persistence Via Netsh Helper DLL - Registry - new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace - new: Suspicious Path In Keyboard Layout IME File Registry Value - new: Uncommon Extension In Keyboard Layout IME File Registry Value - new: Wusa.EXE Executed By Parent Process Located In Suspicious Location ### Updated Rules - update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives - update: Credential Dumping Attempt Via WerFault - Update title - update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse - update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag - update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium - update: HackTool - CobaltStrike BOF Injection Pattern - Update title - update: HackTool - HandleKatz Duplicating LSASS Handle - Update title - update: HackTool - LittleCorporal Generated Maldoc Injection - Update title - update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters - update: HackTool - winPEAS Execution - Add additional image names for winPEAS - update: LSASS Access From Potentially White-Listed Processes - Update title and description - update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C: - update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description - update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32 - update: Malware Shellcode in Verclsid Target Process - Move to hunting folder - update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder - update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata - update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag - update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information - update: Potential Process Hollowing Activity - Update FP filter - update: Potential Shellcode Injection - Update title and enhance false positive filter - update: Potentially Suspicious GrantedAccess Flags On LSASS - - update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C: - update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description - update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list - update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list - update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations - update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter - update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone ### Removed / Deprecated Rules - remove: Credential Dumping Tools Accessing LSASS Memory ### Fixed Rules - fix: File or Folder Permissions Modifications - FPs with partial paths - fix: Import New Module Via PowerShell CommandLine - Fix typo in condition - fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter - fix: Potential NT API Stub Patching - Tune FP filter - fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter ### Acknowledgement Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).

sigma r2023-12-21

2023-12-21T20:12:34+00:00

### New Rules - new: Access To Potentially Sensitive Sysvol Files By Uncommon Application - new: Access To Sysvol Policies Share By Uncommon Process - new: Cloudflared Portable Execution - new: Cloudflared Quick Tunnel Execution - new: Cloudflared Tunnels Related DNS Requests - new: Communication To Uncommon Destination Ports - new: Compressed File Creation Via Tar.EXE - new: Compressed File Extraction Via Tar.EXE - new: DLL Names Used By SVR For GraphicalProton Backdoor - new: Enable LM Hash Storage - new: Enable LM Hash Storage - ProcCreation - new: Potential Base64 Decoded From Images - new: Potentially Suspicious Desktop Background Change Using Reg.EXE - new: Potentially Suspicious Desktop Background Change Via Registry - new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension - new: Renamed Cloudflared.EXE Execution - new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler - new: System Information Discovery Using Ioreg - new: System Information Discovery Using sw_vers - new: System Information Discovery Via Wmic.EXE ### Updated Rules - update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection - update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections - update: Account Created And Deleted By Non Approved Users - Add missing `expand` modifier - update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium - update: Authentication Occuring Outside Normal Business Hours - Add missing `expand` modifier - update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash - update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash - update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low - update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder. - update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate - update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions - update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage - update: Failed Code Integrity Checks - Reduce level to informational - update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific - update: HH.EXE Execution - Reduce level to low - update: Interactive Logon to Server Systems - Add missing `expand` modifier - update: Locked Workstation - Reduce level to informational - update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data - update: Malware User Agent - update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections - update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections - update: PUA - Nmap/Zenmap Execution - Reduce level to medium - update: PUA - Process Hacker Execution - Reduce level to medium - update: PUA - Radmin Viewer Utility Execution - Reduce level to medium - update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks - update: Potential Pass the Hash Activity - Add missing `expand` modifier - update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic - update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing / - update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations - update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing `expand` modifier - update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic - update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports - update: PowerShell Execution With Potential Decryption Capabilities - update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing `expand` modifier - update: Privilege Role Sign-In Outside Expected Controls - Add missing `expand` modifier - update: Privilege Role Sign-In Outside Of Normal Hours - Add missing `expand` modifier - update: Remote Registry Management Using Reg Utility - Add missing `expand` modifier - update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1" - update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1" - update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list - update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters - update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:" - update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition - update: Suspicious Schtasks From Env Var Folder - Reduce level to medium - update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage - update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium - update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e - update: WMI Event Consumer Created Named Pipe - Reduce leve to medium - update: Whoami Utility Execution - Reduce level to low - update: Whoami.EXE Execution With Output Option - Reduce level to medium - update: Windows Defender Malware Detection History Deletion - Reduce level to informational - update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions - update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific - update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific - update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific ### Removed / Deprecated Rules - remove: Credential Dumping Tools Service Execution - remove: New Service Uses Double Ampersand in Path - remove: PowerShell Scripts Run by a Services - remove: Powershell File and Directory Discovery - remove: Security Event Log Cleared - remove: Suspicious Get-WmiObject - remove: Windows Defender Threat Detection Disabled ### Fixed Rules - fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters - fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters - fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C: - fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition - fix: Credential Manager Access By Uncommon Application - Enhance FP filters - fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters - fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP - fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with `\pipe\` - fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments - fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names - fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost" - fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter - fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb - fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process - fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names - fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters - fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name - fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage - fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location. - fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications - fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process - fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters - fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases - fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list - fix: Unusual Parent Process For Cmd.EXE - Fix typo in `wermgr` process name - fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate - fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations - fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters - fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID - fix: title: LSASS Access From Program In Potentially Suspicious Folder - Filter out Webex binary ### Acknowledgement Thanks to @AaronS97, @AdmU3, @Blackmore-Robert, @celalettin-turgut, @frack113, @GtUGtHGtNDtEUaE, @jstnk9, @mcdave2k1, @mostafa, @nasbench, @phantinuss, @qasimqlf, @ruppde, @slincoln-aiq, @ssnkhan, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).

sigma r2024-01-15

2024-01-15T18:31:01+00:00

### New Rules - new: Binary Proxy Execution Via Dotnet-Trace.EXE - new: Forfiles.EXE Child Process Masquerading - new: GCP Access Policy Deleted - new: GCP Break-glass Container Workload Deployed - new: Google Workspace Application Access Levels Modified - new: HackTool - EDRSilencer Execution - new: HackTool - NoFilter Execution - new: PUA - PingCastle Execution - new: PUA - PingCastle Execution From Potentially Suspicious Parent - new: Peach Sandstorm APT Process Activity Indicators - new: Potential Peach Sandstorm APT C2 Communication Activity - new: Potential Persistence Via AppCompat RegisterAppRestart Layer - new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE - new: Renamed PingCastle Binary Execution - new: System Control Panel Item Loaded From Uncommon Location - new: System Information Discovery Using System_Profiler - new: System Integrity Protection (SIP) Disabled - new: System Integrity Protection (SIP) Enumeration - new: Windows Filtering Platform Blocked Connection From EDR Agent Binary ### Updated Rules - update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule. - update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote. - update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information - update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage - update: Hacktool Named File Stream Created - Added new Imphash values for `EDRSandBlast`, `EDRSilencer` and `Forensia` utilities. - update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config - update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass. - update: Potential Persistence Via MyComputer Registry Keys - Remove `SOFTWARE` registry key anchor to increase coverage for `WOW6432Node` cases - update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll - update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver - update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets - update: Remote PowerShell Session (PS Classic) - Reduce level to low - update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation - update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options - update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets - update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets - update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs ### Removed / Deprecated Rules - remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule. ### Fixed Rules - fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path - fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name - fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection - fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection - fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools ### Acknowledgement Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release ### Which Sigma rule package should I use? A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the "Core" ruleset. The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).