Roberto Rodriguez
Roberto Rodriguez
Duplicate of https://github.com/Cyb3rWard0g/HELK/issues/500
Hey @BarryStokes Out Sigma Config for sigmac actually translates that field to the right one: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-elastalert/sigmac/sigmac-config.yml#L122 Am I missing something? Can you share a screenshot of the rule that is...
ahh I see what you mean ``` elastalertuserÉ57378b97d853:Ă¼$ cat /etc/elastalert/rules/sigma_sysmon_suspicious_outbound_kerberos_connection.yml alert: - debug description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage...
We need to update the sigmac tool to latest. Thank you for letting us know.
Hello @sahar55 ! We changed the format a little bit and cleaned some of the playbooks from before. I will add this as a new playbook since I believe the...
Thank you @Il-Colombo !
https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
Thank you @damyanor ! Would you mind providing an example of the filter you are proposing? Is that something maybe that we can add under the playbook `Hunter Notes` section?...
Oh something like this? : https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml#L23
# 6.A.1 Credentials in Files Procedure: Read the Chrome SQL database file to extract encrypted credentials Criteria: accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\