Skip to content

Add rule for Win connection to suspicious WiFi#6005

Open
privet-username wants to merge 4 commits into
SigmaHQ:masterfrom
privet-username:feature/detect-suspicious-bssid
Open

Add rule for Win connection to suspicious WiFi#6005
privet-username wants to merge 4 commits into
SigmaHQ:masterfrom
privet-username:feature/detect-suspicious-bssid

Conversation

@privet-username
Copy link
Copy Markdown

@privet-username privet-username commented May 10, 2026
edited
Loading

Summary of the Pull Request

Add new detection rule for Windows Security event that detects successfull connection to suspicious WiFi AP. Based on MAC addresses belong to RaspberryPi and Alfa AP.

Changelog

new: Connection to suspicious WiFi

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels May 10, 2026
swachchhanda000
swachchhanda000 approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @privet-username,

Thanks for this solid PR.

I made a few additional improvements on top of your original rule, including fixing some typos, expanding the detection logic to cover suspicious SSIDs and additional OUIs, and refining the metadata for better description and clarity.

Cheers!

@swachchhanda000 swachchhanda000 added Ready to Merge and removed Review Needed The PR requires review labels May 13, 2026
@swachchhanda000 swachchhanda000 added this to the Sigma-May-Release milestone May 13, 2026
@privet-username
Copy link
Copy Markdown
Author

privet-username commented May 13, 2026
edited
Loading

Hi @swachchhanda000,

Thank you for the review.

Your idea to cover suspicious SSIDs is great. However, I think it should be separate because it covers a different type of attack and has a different severity level than Evil Twin AP. I would create a different rule based on your idea using SSIDs and keep my PR separate.

frack113
frack113 reviewed May 13, 2026
View reviewed changes
Comment thread rules/windows/builtin/security/win_security_susp_wlan_bssid.yml Outdated
@privet-username privet-username force-pushed the feature/detect-suspicious-bssid branch from f648b10 to 643adcd Compare May 14, 2026 14:06
@privet-username
Copy link
Copy Markdown
Author

privet-username commented May 14, 2026

Hi @privet-username,

Thanks for this solid PR.

I made a few additional improvements on top of your original rule, including fixing some typos, expanding the detection logic to cover suspicious SSIDs and additional OUIs, and refining the metadata for better description and clarity.

Cheers!

Hi @swachchhanda000

I appreciate the effort, but I’ve reverted the changes related to SSIDs to keep this PR focused strictly on BSSID-based detection, as they represent different attack vectors and severity levels. I'll be happy to see the SSID logic as a separate PR.

@privet-username privet-username requested a review from frack113 May 14, 2026 14:57
frack113
frack113 requested changes May 15, 2026
View reviewed changes
Comment thread rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml Outdated
@swachchhanda000 swachchhanda000 added Review Needed The PR requires review and removed Ready to Merge labels May 15, 2026
@privet-username @frack113
Apply suggestion from @frack113
afb2dd9 
Fix event field name

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
@privet-username privet-username requested a review from frack113 May 16, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frack113 frack113 frack113 approved these changes

@nasbench nasbench Awaiting requested review from nasbench

@phantinuss phantinuss Awaiting requested review from phantinuss

@swachchhanda000 swachchhanda000 Awaiting requested review from swachchhanda000

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-May-Release

Development

Successfully merging this pull request may close these issues.

3 participants

@privet-username @frack113 @swachchhanda000