SigmaHQ/sigma issues and pull requests

#4399 - Create file_event_win_create_hidden_directory_via_index_allocation.yml

Pull Request - State: closed - Opened by Scoubi about 1 year ago - 2 comments
Labels: Rules, Windows

#4398 - new: Acess File With Common Registry Extention

Pull Request - State: closed - Opened by frack113 about 1 year ago - 2 comments
Labels: Rules, Windows

#4397 - Update proc_creation_win_taskkill_execution.yml

Pull Request - State: closed - Opened by veramine about 1 year ago - 1 comment
Labels: Rules, 2nd Review Needed, Windows

#4396 - add rule proc_creation_lnx_esxcli_system_enumeration

Pull Request - State: closed - Opened by kidrek about 1 year ago - 3 comments
Labels: Rules, Linux

#4395 - chore: Order rules

Pull Request - State: closed - Opened by frack113 about 1 year ago - 1 comment
Labels: Rules, Not-Possible, Maintenance

#4394 - new rule proc_creation_lnx_esxcli_system_enumeration

Pull Request - State: closed - Opened by kidrek about 1 year ago

#4393 - fix: use explicit CIDR notation for loopback

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4392 - Add MITRE ATT&CK tags to various rules that were missing them

Pull Request - State: closed - Opened by tjgeorgen about 1 year ago
Labels: Rules, Windows, Linux

#4391 - chore: remove listing from changelog in PR template

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4390 - feat: add/update rules related to CVE-2023-36874

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules, Windows, Emerging-Threats

#4389 - Added ART Test to proc_creation_win_csc_susp_dynamic_compilation.yml

Pull Request - State: closed - Opened by securepeacock about 1 year ago
Labels: Rules, Windows, Documentation

#4388 - Added ART Test to proc_creation_win_cmdkey_recon.yml

Pull Request - State: closed - Opened by securepeacock about 1 year ago
Labels: Rules, Windows, Documentation

#4387 - Br4dy5 patch 0

Pull Request - State: closed - Opened by br4dy5 about 1 year ago
Labels: Rules, Windows

#4386 - Update PULL_REQUEST_TEMPLATE.md - add changelog instead of detailed desc

Pull Request - State: closed - Opened by phantinuss about 1 year ago
Labels: Maintenance

#4385 - workflow: fix: run sigma check on all rule directories

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4384 - Create azure_identity_protectection_anomalous_ip_address.yml

Pull Request - State: closed - Opened by gleeiamglo about 1 year ago - 1 comment
Labels: Rules, Cloud

#4383 - Fix typos: tag -> tags

Pull Request - State: closed - Opened by tjgeorgen about 1 year ago

#4382 - feat: new rules and updates

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules, Windows

#4381 - Refractor registry_set rules

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, 2nd Review Needed, Windows

#4380 - Lnx container discovery

Pull Request - State: closed - Opened by SethHanford about 1 year ago
Labels: Rules, 2nd Review Needed, Linux

#4379 - Added two new lolbas rules and slight modifications on existing rules

Pull Request - State: closed - Opened by swachchhanda000 about 1 year ago - 2 comments
Labels: Rules

#4378 - Create azure_identity_protectection_anomalous_token.yml

Pull Request - State: closed - Opened by MarkMorow about 1 year ago - 6 comments
Labels: Rules, Cloud

#4377 - feat: new rules & updates

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules

#4376 - Add portable gpg.exe detection

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules

#4375 - Create web_apache_webshell.yml

Pull Request - State: closed - Opened by chancej715 about 1 year ago - 1 comment
Labels: Duplicate, Rules

#4374 - Added search(-ms)/WebDAV rules

Pull Request - State: closed - Opened by mbabinski about 1 year ago
Labels: Rules, Windows

#4373 - Fixing 1 service typo in proc_creation_win_susp_service_tamper.yml

Pull Request - State: closed - Opened by RenaudFrere about 1 year ago
Labels: Rules

#4372 - fix: FP with perfmon.exe

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4371 - Create proc_creation_lnx_ssm_agent_abuse.yml

Pull Request - State: closed - Opened by faisalusuf about 1 year ago
Labels: Rules, Linux

#4370 - correlate event 4625 and 4624

Issue - State: closed - Opened by Hafzan-250601 about 1 year ago - 1 comment

#4369 - SSM Agent Abuse Rule

Pull Request - State: closed - Opened by faisalusuf about 1 year ago
Labels: Rules, Windows

#4368 - Problem of writing a sigma rule

Issue - State: closed - Opened by Nyk0la5 about 1 year ago - 1 comment

#4367 - JSON schema for Sigma specification

Pull Request - State: closed - Opened by mostafa about 1 year ago - 13 comments
Labels: Maintenance

#4366 - feat: new rules and updates

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules

#4365 - Update lnx_auditd_masquerading_crond.yml

Pull Request - State: closed - Opened by Mladia about 1 year ago
Labels: Rules, Linux

#4364 - feat: new rules and updates

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules

#4363 - Rule for "gzip -f", atomic red references "gzip -k"

Issue - State: closed - Opened by Mladia about 1 year ago - 2 comments

#4362 - add doc

Pull Request - State: closed - Opened by Ammiir79 about 1 year ago - 2 comments

#4361 - chore(deps): bump certifi from 2023.5.7 to 2023.7.22

Pull Request - State: closed - Opened by dependabot[bot] about 1 year ago
Labels: Dependencies

#4360 - fix: FPs in rules

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4359 - document

Pull Request - State: closed - Opened by Ammiir79 about 1 year ago - 1 comment

#4358 - Add file_event_win_susp_windows_terminal_profile

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, Windows

#4357 - Hunting smb quic rules

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, Windows

#4356 - chore(deps-dev): bump aiohttp from 3.8.4 to 3.8.5

Pull Request - State: closed - Opened by dependabot[bot] about 1 year ago
Labels: Dependencies

#4355 - feat: new rules and updates

Pull Request - State: closed - Opened by nasbench about 1 year ago
Labels: Rules, Windows

#4354 - Add Sysmon 28-29 rules

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, Windows

#4353 - chore: update submodule tests/cti

Pull Request - State: closed - Opened by phantinuss about 1 year ago

#4352 - Add posh_ps_set_acl

Pull Request - State: closed - Opened by frack113 about 1 year ago - 2 comments
Labels: Rules, Windows

#4351 - Windows Defender Signature Removal: level from 'medium' to 'high'

Pull Request - State: closed - Opened by Neo23x0 about 1 year ago

#4350 - Fixed typo in comment

Pull Request - State: closed - Opened by joshnck about 1 year ago

#4349 - Read event of MsMpEng.exe should be whitelisted

Issue - State: closed - Opened by nekopep about 1 year ago - 4 comments
Labels: False-Positive

#4348 - Very weak hash based rules are trivial to bypass

Issue - State: closed - Opened by scudette about 1 year ago - 6 comments

#4347 - Update README.md

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Maintenance

#4346 - feat: new rules related to CVE-2023-36884

Pull Request - State: closed - Opened by X-Junior about 1 year ago
Labels: Rules, Windows, Emerging-Threats

#4345 - Update posh_ps_get_adcomputer

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, Windows

#4344 - Redcannary t1070 008

Pull Request - State: closed - Opened by frack113 about 1 year ago - 1 comment
Labels: Rules, Windows

#4343 - Add proc_creation_win_findstr_susp_parent

Pull Request - State: closed - Opened by frack113 about 1 year ago
Labels: Rules, Windows

#4342 - fix: FP found in-the-wild

Pull Request - State: closed - Opened by frack113 about 1 year ago - 1 comment
Labels: Rules, Windows, False-Positive Fix

#4340 - fix: FPs found in testing env

Pull Request - State: closed - Opened by phantinuss about 1 year ago
Labels: Rules, Windows

#4339 - Add posh_ps_reg_query_registry

Pull Request - State: closed - Opened by frack113 over 1 year ago
Labels: Rules, Windows

#4338 - fix: `Renamed Plink Execution` rule selection logical condition

Pull Request - State: closed - Opened by fukusuket over 1 year ago - 1 comment

#4337 - fix: FP found in-the-wild

Pull Request - State: closed - Opened by phantinuss over 1 year ago - 2 comments
Labels: Rules, Windows, False-Positive Fix

#4336 - Create posh_pm_susp_netfirewallrule_reco.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago - 1 comment
Labels: Rules, Windows

#4335 - fix: FP found with excel

Pull Request - State: closed - Opened by phantinuss over 1 year ago

#4334 - Update net_dns_wannacry_killswitch_domain.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4333 - Update proc_creation_win_nltest_recon.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4332 - Fix 404 links

Pull Request - State: closed - Opened by ryanplasma over 1 year ago
Labels: Maintenance

#4331 - Fix Zero Networks Blog 404s

Pull Request - State: closed - Opened by ryanplasma over 1 year ago
Labels: Rules, Maintenance

#4330 - Update proc_creation_win_pua_adfind_susp_usage.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4329 - Update proc_creation_win_curl_susp_download.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4328 - feat: new rules & updates

Pull Request - State: closed - Opened by nasbench over 1 year ago - 1 comment
Labels: Rules, Windows

#4327 - Update win_security_iso_mount.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4326 - Update file_event_win_iso_file_mount.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago - 1 comment

#4325 - Add alterix to Projects or Products that use Sigma

Pull Request - State: closed - Opened by mtnmunuklu over 1 year ago - 1 comment
Labels: Maintenance

#4324 - Update main readme

Pull Request - State: closed - Opened by mtnmunuklu over 1 year ago

#4323 - Update proc_creation_win_lolbin_rundll32_installscreensaver.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4322 - Update win_system_service_install_remote_access_software.yml

Pull Request - State: closed - Opened by umairqamar over 1 year ago
Labels: Rules, Windows

#4321 - FP fix + typo fix

Pull Request - State: closed - Opened by phantinuss over 1 year ago
Labels: Rules, Windows, Maintenance, False-Positive Fix

#4320 - Update proc_creation_win_renamed_binary.yml

Pull Request - State: closed - Opened by securepeacock over 1 year ago

#4319 - Update tags

Pull Request - State: closed - Opened by frack113 over 1 year ago - 1 comment
Labels: Maintenance

#4318 - feat: add rules related to Barracuda ESG exploitation

Pull Request - State: closed - Opened by nasbench over 1 year ago - 2 comments
Labels: Rules, Windows, Emerging-Threats

#4317 - Detect FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication

Issue - State: closed - Opened by serpaldom over 1 year ago - 2 comments
Labels: Rules, Web

#4316 - Added rules to detect lolbas provlaunch.exe and also filter on legitimate system non-wmiprvse processes loading WMI modules

Pull Request - State: closed - Opened by swachchhanda000 over 1 year ago - 3 comments
Labels: Rules

GitHub / SigmaHQ/sigma issues and pull requests