sigma
sigma copied to clipboard
SigmaHQ
Main Sigma Rule Repository
- This PR adds the `/r` flag to the rules that rely on `cmd` flags - Note that the `/r` is same as `/c` - General updates along the way
https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ e0b06658-7d1d-4cd3-bf15-03467507ff7c : check creation of the log file 28036918-04d3-423d-91c0-55ecf99fb892: The key do not exist on Windows 10 and 11. But can not generate a CreateKey event with sysmon or...
When i converted Sigma rules into CrowdStrike rules i noticed that the config is not right. For example: when converting Sigma give `Commandline="* -enc *"` this should be `CommandLine="* -enc...
Hi, I think we found another bug in the Splunk back-end, best seen in rule `rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml` ``` detection: selection: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ' /delete ' - '/tn \*' -...
Hi, I like your tools but I am not a big fan of installing python stuff. :-) Therefore I created a docker container. I can't install tools directly from repository...
…proc_creation_win_lolbas_not_from_c_drive.yml Changing to include other LOLBAS seen in CTI, such as regsvr32 and calc.exe
Updated proc_creation_win_iis_service_account_password_dumped.yml to include additional detection logic based on latest intel.
Cobalt Strike is abusing Fastly CDN by using quite unique patterns of using 6 subdomains, seen on one than more sources. However this detection might still be the case of...
