sigma

sigma copied to clipboard

fix capitalization of user directory

1

Tested this rule with Win10 logs and only worked with capital users directory

r1d3th3wav3s

Rule to detect deceptive RTLO file extension social engineering

8

Hi, This rule detects when a file is written to disk or a commandline contains a right-to-left-override (U202E) character followed by an a string that would deceive users to believe...

ag-michael

ionsor

Integer ranges and inequalities support

12

Here are integer operators we'll need for the FireEye HX OpenIOC-like backend: - greater than - less than - between # inequalities I believe we could add [modifiers](https://github.com/Neo23x0/sigma/wiki/Specification#value-modifiers) for the...

59e5aaf4

Hi this is my rule for defender service stop with token impersonation [defenderstop_2.txt](https://github.com/SigmaHQ/sigma/files/8010298/defenderstop_2.txt) `title: defender stop with trustedinstaller token impersonation id: status: experimental description: detect windows defender service stop with...

IR-HuntGuardians

Issue in CVE-2021-4034 Exploitation Attempt

8

https://github.com/SigmaHQ/sigma/blob/c1c5ed0db73b10e53a6565eb0cfe48d43c1e1829/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml#L22 I think it should be 'or' instead of 'and' since the two conditions match on different logs.

d4rk-d4nph3

Escaping of chars in rule supplied regular expressions

3

Hello! I've got an issue with a couple of rules and wanted to get an opinion on whether these are bugs in the rules, needs improvement in the backend, or...

stbe

Likely FPs on "Suspicious Remote Thread Created"

1

We've chased down hits on [this](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml) sigma rule repeatedly, where the PowerPoint executable is seen opening a remote thread in CSRSS.EXE, and we never find any other indicators of compromise....

branchnetconsulting

sysmon_new_dll_added_to_appinit_dlls_registry_key logging policy error

9

sysmon_new_dll_added_to_appinit_dlls_registry_key calls for filtering sysmon EID 13 "NewName" with "Details", but I believe that isn't possible.  In order for this configuration to validate, I had to remove the "NewName"...

tcmcgahanred

Problem with "Initiated" and "IP" field

1

Hi, When I convert rule sysmon_excel_outbound_network_connection.yml to elastalert, I get the following query: `((process.executable.keyword:*\\excel.exe AND network.direction:"true" AND DestinationIsIpv6:"false") AND (NOT (destination.ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR...

r1d3th3wav3s