sigma
sigma copied to clipboard
SigmaHQ
Main Sigma Rule Repository
### Added new rule that detects known linux malware using non-standard ports for their command and control communications. ### Changelog ### Example Log Event ### Fixed Issues ### SigmaHQ Rule...
title: Detecting export stolen DPAPI backup keys id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4 related: - id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4 status: experimental description: 'Detecting exported DPAPI backup keysDPAPI Backup Key Theft: Both Mimikatz and DSInternals export stolen...
### Summary of the Pull Request Added a new rule to detect the macOS LOOBin nscurl being used to download files ### Changelog new: Suspicious File Download With nscurl ###...
### Summary of the Pull Request KeyScrambler suspicious child process ### Changelog new: Potentially Suspicious Child Process Of KeyScrambler.exe ### Example Log Event ``` { "EventTime": "2024-04-15T11:14:18.365386+00:00", "Hostname": "ACME", "Keywords":...
### Summary of the Pull Request Added rule to detect registry modifications actions and aclui dll loaded by Oleview.exe, potential raspberry robin malware's activity. ### Changelog new: Potential Raspberry Robin...
### Summary of the Pull Request Creating new rule to detect new variant of DarkGate loader then it is writing files into C:\temp folder. ### Changelog new: DarkGate - Save...
### Summary of the Pull Request Added a new rule to detect execution of programs as Launch Agents or Launch Daemons using `launchctl` on macOS. - `launchctl` can be used...
### Summary of the Pull Request Added a new detection rule for identifying potentially suspicious network tunneling activities initiated through QEMU virtual machine instances on Windows systems. ### Changelog new:...
### Summary of the Pull Request This rule detects an unusual tunling method reported by Kaspersky where Qemu binaries were used for C2 communication. ### Reference - https://thehackernews.com/2024/03/cybercriminals-utilize-qemu-emulator-as.html - https://securelist.com/network-tunneling-with-qemu/111803/...
### Summary of the Pull Request Many binaries accepts both type of arguments that startswith '/' and '-'. So, i updated some rules having flags with '/' as prefix to...
