SigmaHQ/sigma issues and pull requests

#4711 - Fix some FP in Rundll32 Execution With Uncommon DLL Extension

Pull Request - State: closed - Opened by xiangchen96 8 months ago - 2 comments
Labels: Rules, Windows

#4710 - Add ipconfig.io domain

Pull Request - State: closed - Opened by xiangchen96 8 months ago
Labels: Rules, Windows

#4709 - Create detection_of_responder_tool_in_microsoft_365_defender_logs.yaml

Pull Request - State: closed - Opened by prashanthpulisetti 8 months ago - 5 comments
Labels: Rules, Work In Progress, Author Input Required

#4708 - Adding new hosting sites to downloading rules

Issue - State: closed - Opened by omaramin17 8 months ago - 3 comments

#4707 - New rules upload

Pull Request - State: closed - Opened by skaynum 8 months ago - 5 comments
Labels: Rules, Work In Progress, Windows

#4706 - Updated Sigma2Attack.py Script

Pull Request - State: closed - Opened by DaveTheResearcher 8 months ago - 3 comments
Labels: Duplicate

#4705 - New Rule: WMIC Disk and Volume Recon

Pull Request - State: closed - Opened by slincoln-aiq 8 months ago
Labels: Rules, 2nd Review Needed, Windows

#4704 - Added RDP reg keys for darkgate malware

Pull Request - State: closed - Opened by slincoln-aiq 8 months ago
Labels: Rules, 2nd Review Needed, Windows

#4703 - Hack tool EventLogCrasher - imphash based detection

Pull Request - State: closed - Opened by Neo23x0 8 months ago
Labels: Rules, Windows

#4702 - Rules Tuning

Pull Request - State: closed - Opened by nasbench 8 months ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4701 - Archive New Rule References

Pull Request - State: closed - Opened by github-actions[bot] 8 months ago

#4700 - Promote Older Rules From `experimental` to `test`

Pull Request - State: closed - Opened by github-actions[bot] 8 months ago

#4699 - net_connection_win_rundll32_net_connections.yml leads to false positive via multiple vendors

Issue - State: closed - Opened by bill-e-ghote 8 months ago - 4 comments
Labels: False-Positive

#4698 - Added rules that detect possible activities associated with services and modules enumeration

Pull Request - State: closed - Opened by swachchhanda000 8 months ago - 4 comments
Labels: Rules, 2nd Review Needed, Windows

#4697 - Small fix

Pull Request - State: closed - Opened by frack113 8 months ago - 1 comment
Labels: Rules, Windows

#4696 - chore(deps-dev): bump aiohttp from 3.9.0 to 3.9.2

Pull Request - State: closed - Opened by dependabot[bot] 8 months ago - 1 comment
Labels: Dependencies

#4695 - Add OpenCanary Rules

Pull Request - State: closed - Opened by defensivedepth 8 months ago - 3 comments
Labels: Rules

#4694 - Authored native Kubernetes Detections

Pull Request - State: closed - Opened by LAripping 8 months ago - 6 comments
Labels: Rules, 2nd Review Needed, Maintenance

#4693 - update: removed unnecessary selection part

Pull Request - State: closed - Opened by qasimqlf 8 months ago
Labels: Rules, Windows

#4692 - New rules related to iexpress.exe and makecab.exe

Pull Request - State: closed - Opened by jstnk9 8 months ago - 4 comments
Labels: Rules, Windows

#4691 - fix: updated the wrong image name

Pull Request - State: closed - Opened by qasimqlf 8 months ago - 2 comments
Labels: Rules, Windows

#4690 - Update pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml

Pull Request - State: closed - Opened by tr0mb1r 8 months ago
Labels: Rules, 2nd Review Needed, Windows

#4689 - Added AttackIQ to README Projects and Products

Pull Request - State: closed - Opened by slincoln-aiq 8 months ago
Labels: Maintenance

#4687 - update: added missing image names

Pull Request - State: closed - Opened by qasimqlf 9 months ago - 3 comments
Labels: Rules, Emerging-Threats

#4686 - Create proc_creation_win_hktl_sharpmove.yml

Pull Request - State: closed - Opened by CrimpSec 9 months ago
Labels: Rules, Windows

#4685 - Create HackTool-EDRSilencer-Execution.yml

Pull Request - State: closed - Opened by t-pol 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4684 - fix: several FPs

Pull Request - State: closed - Opened by phantinuss 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4683 - Excessive requests from Go-http-client/1.1

Issue - State: closed - Opened by cherdt 9 months ago - 3 comments

#4682 - New: CodePage modification via MODE to Russian language

Pull Request - State: closed - Opened by jstnk9 9 months ago - 2 comments
Labels: Rules, Windows

#4681 - Add Missing Ref & Tags

Pull Request - State: closed - Opened by nasbench 9 months ago
Labels: Rules, Windows, Linux, Maintenance

#4680 - Add miningocean.org mining pools

Pull Request - State: closed - Opened by xiangchen96 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4679 - Suspicious unsigned DLL Loaded by RunDLL32/RegSvr32

Pull Request - State: closed - Opened by swachchhanda000 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4678 - Added and updatd pikabot related rules

Pull Request - State: closed - Opened by swachchhanda000 9 months ago - 1 comment
Labels: Rules, Emerging-Threats

#4677 - Create proc_creation_win_medusa_ransomware_wmic.yml

Pull Request - State: closed - Opened by prashanthpulisetti 9 months ago - 1 comment
Labels: Duplicate, Rules, Emerging-Threats

#4676 - registry_set_medusa_Ransomware_disabling_of_uac_via_registry_modification.yml

Pull Request - State: closed - Opened by prashanthpulisetti 9 months ago - 2 comments
Labels: Duplicate, Rules, Windows

#4675 - Feat: New Emerging Threat Rules For Peach Sandstorm APT

Pull Request - State: closed - Opened by X-Junior 9 months ago
Labels: Rules, Emerging-Threats

#4674 - Hacktool execution

Pull Request - State: closed - Opened by Neo23x0 9 months ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4673 - docs: broken link

Pull Request - State: closed - Opened by Neo23x0 9 months ago
Labels: Rules, Windows

#4672 - Update proc_creation_win_wmic_recon_system_info.yml

Pull Request - State: closed - Opened by tr0mb1r 9 months ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4671 - Archive New Rule References

Pull Request - State: closed - Opened by github-actions[bot] 9 months ago

#4670 - update proc_creation_win_findstr_lnk.yml

Pull Request - State: closed - Opened by meiliumeiliu 9 months ago - 1 comment
Labels: Rules, Author Input Required, Windows

#4669 - Logsources, lack of machine readable definition of log sources (and additional requirements)

Issue - State: closed - Opened by MrSeccubus 9 months ago - 4 comments

#4668 - Update registry_set_persistence_mycomputer.yml

Pull Request - State: closed - Opened by joshnck 9 months ago - 2 comments
Labels: Rules, 2nd Review Needed, Windows

#4667 - Fixes #4666 - sigma-logsource-checker tries to parse non-yml files

Pull Request - State: closed - Opened by MrSeccubus 9 months ago - 1 comment
Labels: Maintenance

#4666 - `documentations/tools/sigma-logsource-checker.py` is broken

Issue - State: closed - Opened by MrSeccubus 9 months ago - 1 comment

#4665 - Add Rule CPL Load From Non Default Location

Pull Request - State: closed - Opened by Tuutaans 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4664 - Create win_security_wfp_edr_blocked.yml

Pull Request - State: closed - Opened by danielgottt 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4663 - Update: Disable Windows Defender Features Addition

Pull Request - State: closed - Opened by slincoln-aiq 9 months ago
Labels: Rules, Windows

#4662 - Add Rule Covering New Persistence Technique Using RegisterAppRestart AppCompat Layer

Pull Request - State: closed - Opened by nasbench 9 months ago
Labels: Rules, Windows

#4661 - Suspicious forfiles Child process

Pull Request - State: closed - Opened by Tuutaans 9 months ago - 2 comments
Labels: Rules, 2nd Review Needed, Windows

#4660 - Update registry_set_persistence_shim_database_uncommon_location.yml

Pull Request - State: closed - Opened by grumo35 9 months ago - 3 comments
Labels: Rules, Windows

#4659 - Reduce `Remote PowerShell Session (PS Classic)` Level

Pull Request - State: closed - Opened by nasbench 9 months ago
Labels: Rules, Windows

#4658 - Update README.md

Pull Request - State: closed - Opened by nasbench 9 months ago
Labels: Maintenance

#4657 - Add pySigma_validators_sigmaHQ validator to workflow

Pull Request - State: closed - Opened by frack113 9 months ago - 2 comments
Labels: Rules, Work In Progress, MacOS, Maintenance

#4656 - Upgrade promote_rules_status to pySigma

Pull Request - State: closed - Opened by frack113 9 months ago
Labels: Maintenance

#4655 - Create detection_rule_cve-2023_038831.yml

Pull Request - State: closed - Opened by aungmyatthuw01f 9 months ago - 4 comments
Labels: Rules, Work In Progress, Emerging-Threats

#4654 - fix: hardcoded removal of c: should be replace with ?:

Pull Request - State: closed - Opened by qasimqlf 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4652 - Archive New Rule References

Pull Request - State: closed - Opened by github-actions[bot] 9 months ago

#4651 - Promote Older Rules From `experimental` to `test`

Pull Request - State: closed - Opened by github-actions[bot] 9 months ago

#4650 - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections (with variations)

Pull Request - State: closed - Opened by ahouspan 9 months ago - 5 comments
Labels: Rules, 2nd Review Needed, Emerging-Threats

#4649 - new: System Information Discovery Using System_Profiler

Pull Request - State: closed - Opened by slincoln-aiq 9 months ago
Labels: Rules, 2nd Review Needed, MacOS

#4648 - Create proc_creation_win_pua_edr_silencer.yml

Pull Request - State: closed - Opened by danielgottt 9 months ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4647 - Rule devel

Pull Request - State: closed - Opened by Neo23x0 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4646 - fix: updated the wrong image name

Pull Request - State: closed - Opened by qasimqlf 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4645 - Update: System Information Discovery Using Ioreg

Pull Request - State: closed - Opened by slincoln-aiq 9 months ago
Labels: Rules, 2nd Review Needed, MacOS

#4644 - fix: missing commandline condition

Pull Request - State: closed - Opened by qasimqlf 9 months ago
Labels: Rules, Windows

#4643 - Adding dotnet-trace lolbin

Pull Request - State: closed - Opened by bohops 9 months ago
Labels: Rules, 2nd Review Needed, Windows

#4642 - Rule updated and added

Pull Request - State: closed - Opened by Tuutaans 9 months ago
Labels: Rules, Windows

#4641 - Rule updated and added

Pull Request - State: closed - Opened by Tuutaans 9 months ago - 4 comments
Labels: Rules, Windows

#4640 - New: Configure System Integrity Protection (SIP) Enumeration

Pull Request - State: closed - Opened by jstnk9 9 months ago - 1 comment
Labels: Rules, MacOS

#4639 - Detection of Rhysida Ransomware

Issue - State: open - Opened by nischalkhadgi62 9 months ago - 1 comment
Labels: Work In Progress

#4638 - Create win_security_nofilter_privesc_tool_usage.yml

Pull Request - State: closed - Opened by st0pp3r 10 months ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4637 - Question: what is the best way to structure pipelines.yml files?

Issue - State: open - Opened by DaviChavesPinheiro 10 months ago - 1 comment

#4636 - Fix: Enable LM Hash Storage - ProcCreation

Pull Request - State: closed - Opened by slincoln-aiq 10 months ago
Labels: Rules, Windows

#4635 - fix: updated the wrong condition of all

Pull Request - State: closed - Opened by qasimqlf 10 months ago
Labels: Rules, Windows

#4634 - Add Detection of RDP Session Reconnaissance Activity

Pull Request - State: closed - Opened by ThureinOo 10 months ago - 4 comments
Labels: Duplicate, Rules, Windows

#4633 - New: Suspicious Desktop Background Change Using Reg.exe

Pull Request - State: closed - Opened by slincoln-aiq 10 months ago - 1 comment
Labels: Rules, Windows

#4632 - Filtering FP in pipe_created_hktl_efspotato.yml

Pull Request - State: closed - Opened by tr0mb1r 10 months ago
Labels: Rules, 2nd Review Needed, Windows

#4631 - feat: add rules related to CISA `aa23-347a` advisory

Pull Request - State: closed - Opened by nasbench 10 months ago
Labels: Rules, Windows, Emerging-Threats

#4630 - Use `expand` modifier to tranform placeholders

Pull Request - State: closed - Opened by mostafa 10 months ago - 2 comments
Labels: Rules, Windows

#4629 - Archive New Rule References

Pull Request - State: closed - Opened by github-actions[bot] 10 months ago

#4628 - New: Detect Creation of Cloudflared Quick Tunnels

Pull Request - State: closed - Opened by ssnkhan 10 months ago - 5 comments
Labels: Rules, 2nd Review Needed, Windows

#4627 - fix: filter both program file folders

Pull Request - State: closed - Opened by phantinuss 10 months ago
Labels: Rules, Windows

#4626 - Detect tar usage for data archiving on windows

Pull Request - State: closed - Opened by AdmU3 10 months ago
Labels: Rules, Windows

#4625 - Sigma tactics organizer

Pull Request - State: open - Opened by dan21san 10 months ago - 2 comments
Labels: Work In Progress, Maintenance

#4623 - Consolidation of archiving sigma rules related to windows process under one single rule for MITRE T1560.001, DS0009

Pull Request - State: closed - Opened by AdmU3 10 months ago - 2 comments
Labels: Rules, Work In Progress, Author Input Required, Windows

GitHub / SigmaHQ/sigma issues and pull requests