sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

updated adfind related rules

Open swachchhanda000 opened this issue 10 months ago • 1 comments

Summary of the Pull Request

Added new adfind execution rule

Changelog

new: PUA - AdFind.EXE Execution update: Renamed AdFind Execution - New entries of IMPHASH added to increase coverage

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

swachchhanda000 avatar Feb 23 '25 11:02 swachchhanda000

Hi, The purpose of the rule is to detect ActiveDirectory Enumeration., and with the update even start adfind will generate a high alert. I think it is better to put your detection in a new MEDIUM rule. The selection names are better , you can keep them in the PR.

frack113 avatar Feb 26 '25 09:02 frack113