sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Metadata

Main Sigma Rule Repository

Results 233 sigma issues
Sort by recently updated
recently updated
newest added

Based on suspicious regedit changes sigma rules

3 comment

### Description of the Idea of the Rule Suspicious reg changes ### Public References / Exampel Event Log https://github.com/HydraDragonAntivirus/OpenSourceViruses/blob/main/suspiciousregchangesandtaskkils

HydraDragonAntivirus avatar HydraDragonAntivirus

Work In Progress

Re-Work Rules / TODO

- Rework rule referenced in #4412 - Rework fec96f39-988b-4586-b746-b93d59fd1922 - ~~Check logic behind undocumented sdbinst flags. See #4470 for reference~~ [Resolved] - This [rule](https://github.com/SigmaHQ/sigma/blob/905abc4d649f876078203a053a2801f89edc16e4/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml) is using fields from multiple log...

nasbench avatar nasbench

Rules
Work In Progress
False-Positive

Detect PowerShell w/o PowerShell Execution via RunDLL32 and various other methods

3 comment

### Description of the Idea of the Rule I want to propose a rule enabling the detection of PowerShell without using the well-known `powershell.exe` but rather via `rundll32.exe` and various...

JulianDroste avatar JulianDroste

Work In Progress

Rule: Access To Windows Outlook Mail Files By Uncommon Application

### Summary of the Pull Request Add Access To Windows Outlook Mail Files By Uncommon Application rule I used `file_access` to detect any way malware exe, ps, vbs, cmd... ###...

frack113 avatar frack113

Rules
Windows

Update AWS Rule to use fieldref modifier instead of contains

1 comment

### Summary of the Pull Request In deploying [this rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml), the Grafana SecOps team discovered that the `contains` modifier does not reference the field that this rule is trying to...

jamesc-grafana avatar jamesc-grafana

Rules
2nd Review Needed

Network connection from Microsoft Dialer

### Summary of the Pull Request Microsoft Windows Phone Dialer is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to...

CertainlyP avatar CertainlyP

Rules
2nd Review Needed
Windows

Detects Backdoor Kapeka Via Registry Key

### Description of the Idea of the Rule Kapeka: A novel backdoor spotted in Eastern Europe ### Public References / Exampel Event Log https://labs.withsecure.com/publications/kapeka ```title: Backdoor Kapeka id: 039abeb3-149a-4d03-8fda-a338d51b9762 status:...

cY83rR0H1t avatar cY83rR0H1t

Work In Progress

Kapeka backdoor sigma rules

### Summary of the Pull Request Kapeka backdoor sigma rules ### Changelog new: Suspicious Backdoor Dropped by Kapeka Loader new: Kapeka Backdoor Binary Loaded by Rundll32.exe new: Kapeka Backdoor Execution...

swachchhanda000 avatar swachchhanda000

Rules
Work In Progress
Emerging-Threats

LOLBAS wbadmin rule

### Summary of the Pull Request Add rule for https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wbadmin.yml ### Changelog add: Wbadmin NTDS.dit or SYSTEM hive access chore: Add LOLBAS reference to proc_creation_win_esentutl_sensitive_file_copy ### Example Log Event ```xml...

frack113 avatar frack113

Rules
Work In Progress
Windows

New Rule: proc_creation_macos_sysctl_discovery.yml

2 comment

### Summary of the Pull Request Added a new rule to detect execution of `sysctl` on macOS. - `sysctl` can be used to gather interesting macOS host data, including hardware...

pratinavchandra avatar pratinavchandra

Rules
Work In Progress
MacOS

Metadata

8.2k
Stars
2.2k
Forks
344
Watchers

Owner

verified publisher icon SigmaHQ

Metadata

Main Sigma Rule Repository

Back