SigmaHQ
diff --git a/‎.github/latest_archiver_output.md‎
Lines changed: 564 additions & 557 deletions b/‎.github/latest_archiver_output.md‎
Lines changed: 564 additions & 557 deletions
diff --git a/‎.github/workflows/goodlog-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/goodlog-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/known-FPs.csv‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/known-FPs.csv‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/matchgrep.sh‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/matchgrep.sh‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/regression-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/regression-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/sigma-validation.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/sigma-validation.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎deprecated/deprecated.csv‎
Lines changed: 1 addition & 0 deletions b/‎deprecated/deprecated.csv‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deprecated/deprecated.json‎
Lines changed: 7 additions & 0 deletions b/‎deprecated/deprecated.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎…xchange_mailbox_smpt_forwarding_rule.yml‎ ‎…xchange_mailbox_smpt_forwarding_rule.yml‎rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml renamed to deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
Lines changed: 2 additions & 1 deletion b/‎…xchange_mailbox_smpt_forwarding_rule.yml‎ ‎…xchange_mailbox_smpt_forwarding_rule.yml‎rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml renamed to deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
Lines changed: 2 additions & 1 deletion
@@ -6,7 +6,7 @@ name: Goodlog Tests
 on: [push, pull_request, merge_group, workflow_dispatch]
 
 env:
-  EVTX_BASELINE_VERSION: v0.8.3
+  EVTX_BASELINE_VERSION: v0.8.4
 
 jobs:
   check-baseline-win7:
 
@@ -73,6 +73,7 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
 8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
 c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
 dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
-416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe 
+416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp
 558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\)
+5e993621-67d4-488a-b9ae-b420d08b96cb;Service Installation in Suspicious Folder;\\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe
@@ -18,14 +18,14 @@ if [[ ! -f ${fps}  || ! -r ${fps} ]]; then
 fi
 
 # Exclude all rules with level "low"
-findings=$(grep -v '"RuleLevel":"low"' ${infile})
+findings=$(grep -v '"RuleLevel":"low"' "${infile}")
 
 {
-    read # Skip CSV header
-    while IFS=\; read -r id name fpstring; do
+    read -r # Skip CSV header
+    while IFS=\; read -r id _name fpstring; do
         findings=$(echo "${findings}" | grep -iEv "\"RuleId\":\"${id}\".*${fpstring}")
     done
-} < ${fps}
+} < "${fps}"
 
 if [[ -z ${findings} ]]; then
     echo "No matches found."
@@ -34,7 +34,7 @@ else
     echo "${findings}"
     >&2 echo
     >&2 echo "Match overview:"
-    echo ${findings} | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
+    echo "${findings}" | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
     >&2 echo
     >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
     exit 3
 
@@ -3,7 +3,7 @@ name: Regression Tests
 on: [push, pull_request, workflow_dispatch]
 
 env:
-  EVTX_BASELINE_VERSION: v0.8.3
+  EVTX_BASELINE_VERSION: v0.8.4
 
 jobs:
   true-positive-tests:
 
@@ -2,6 +2,9 @@ name: Validate Sigma rules
 
 on: [push, pull_request, merge_group, workflow_dispatch]
 
+env:
+  SIGMA_RULE_SCHEMA_VERSION: v2.1.0
+
 jobs:
   sigma-rules-validator:
     runs-on: ubuntu-latest
@@ -16,4 +19,4 @@ jobs:
             ./rules-emerging-threats
             ./rules-placeholder
             ./rules-threat-hunting
-          schemaFile: ${{ github.workspace }}/tests/validate-sigma-schema/sigma-schema.json
+          schemaURL: https://raw.githubusercontent.com/SigmaHQ/sigma-specification/refs/tags/${{ env.SIGMA_RULE_SCHEMA_VERSION }}/json-schema/sigma-detection-rule-schema.json
@@ -101,3 +101,6 @@ settings.json
 
 # sigma2attack
 heatmap.json
+
+# VS Code workspace settings
+.vscode/
@@ -160,3 +160,4 @@ e28a5a99-da44-436d-b7a0-2afc20a5f413,Whoami Utility Execution,2018-08-13,2025-10
 e710a880-1f18-4417-b6a0-b5afdf7e305a,Atomic MacOS Stealer - FileGrabber Infostealer Execution,2025-09-12,2025-11-22,high
 4be03877-d5b6-4520-85c9-a5911c0a656c,FileFix - Suspicious Child Process from Browser File Upload Abuse,2025-06-26,2025-11-24,high
 6e30c82f-a9f8-4aab-b79c-7c12bce6f248,File Download Via Bitsadmin To An Uncommon Target Folder,2022-06-28,2025-12-10,medium
+15b7abbb-8b40-4d01-9ee2-b51994b1d474,Suspicious PowerShell Mailbox SMTP Forward Rule,2022-10-26,2026-03-01,medium
@@ -1125,5 +1125,12 @@
         "date": "2022-06-28",
         "modified": "2025-12-10",
         "level": "medium"
+    },
+    {
+        "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474",
+        "title": "Suspicious PowerShell Mailbox SMTP Forward Rule",
+        "date": "2022-10-26",
+        "modified": "2026-03-01",
+        "level": "medium"
     }
 ]
@@ -1,11 +1,12 @@
 title: Suspicious PowerShell Mailbox SMTP Forward Rule
 id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
-status: test
+status: deprecated
 description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
 references:
     - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-10-26
+modified: 2026-03-01
 tags:
     - attack.exfiltration
 logsource:
Original file line number	Diff line number	Diff line change
`@@ -1125,5 +1125,12 @@`
`1125`	`1125`	`"date": "2022-06-28",`
`1126`	`1126`	`"modified": "2025-12-10",`
`1127`	`1127`	`"level": "medium"`
	`1128`	`+ },`
	`1129`	`+ {`
	`1130`	`+ "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474",`
	`1131`	`+ "title": "Suspicious PowerShell Mailbox SMTP Forward Rule",`
	`1132`	`+ "date": "2022-10-26",`
	`1133`	`+ "modified": "2026-03-01",`
	`1134`	`+ "level": "medium"`
`1128`	`1135`	`}`
`1129`	`1136`	`]`