sigma
sigma copied to clipboard
SigmaHQ
Main Sigma Rule Repository
Similar idea to the [lsass dump detection rule](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_lsass_dump.yml), this rule detects default file names outputted by SharpHound.
proxy_susp_flash_download_loc: * Change to c-uri inst of c-uri-query so we actually match on the path and not the query. * r-dns instead of c-uri-stem as it appears cleaner in this...
https://github.com/SigmaHQ/sigma/blob/master/other/sigma_attack_nav_coverage.json There are now rules that use the resourcedevelopment tactic in your library, but this coverage map doesn't include that coverage. Also https://github.com/SigmaHQ/sigma/blob/master/tools/config/mitre/tactics.json is out of date, and appears to...
Proposed rule for Windows lolbin AgentExecutor that doesn't have much coverage. Rule created as final project for Detection Engineering with Sigma course with @defensivedepth
Hi Team, I am having issues adding Sumo logic to list of targets, currently, I don't see it when I run the command: sigma list targets
The new sigma rule refers to Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies. Ref URL --> https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
Hello, I encountered an issue when configuring a custom fieldmapping for the translation of Sigma rules to Splunk Query. I can't manage SIEM parsing, that why i configured fieldmapping. I...
Currently I am converting zeek sigma rules to elastalert using sigmac. Configuration file used for this is ecs-zeek-elastic-beats-implementation Following command is used for conversion: `sudo ./sigmac -I -t elastalert -r...
The pull request [here](pull/3081) means that there is an additional backslash at the start of the wildcard; when using this query in LogPoint, it will fail due to the double...
