SigmaHQ/sigma

Issues

• Update of Rare Service Install Detection Rule to use correlation syntax

  #4854 opened a month ago by Mat0vu
  3

• Can I use regular expression in sigma?

  #4849 opened a month ago by Ron-zs
  1

• Windows LAPS Credential Dump via Entra ID

  #4846 opened a month ago by BIitzkrieg
  1

• ADS Zone.Identifier Deleted By Uncommon Application when installing PuTTy latest version

  #4820 opened a month ago by essadek
  1

• Detects Backdoor Kapeka Via Registry Key

  #4835 opened 2 months ago by cY83rR0H1t
  0

• DPAPI backup keys Theft and Export related activities

  #4821 opened 2 months ago by CTI-Driven
  1

• FPs with "File Enumeration Via Dir Command"

  #4812 opened 2 months ago by YamatoSecurity
  0

• Suspicious Process DNS Query Known Abuse Web Services

  #4748 opened 3 months ago by cY83rR0H1t
  0

• CVE-2023-1389 Unauthenticated Command Injection Vulnerability

  #4742 opened 3 months ago by cY83rR0H1t
  0

• Hacktool Evil-Winrm Tool Detection via Powershell event ID

  #4741 opened 3 months ago by cY83rR0H1t
  0

• Lazagne Crendential Dumping Tool Detection Rule

  #4740 opened 3 months ago by cY83rR0H1t
  1

• Adding new hosting sites to downloading rules

  #4708 opened 4 months ago by omaramin17
  3

• net_connection_win_rundll32_net_connections.yml leads to false positive via multiple vendors

  #4699 opened 4 months ago by bill-e-ghote
  4

• Excessive requests from Go-http-client/1.1

  #4683 opened 5 months ago by cherdt
  3

• Logsources, lack of machine readable definition of log sources (and additional requirements)

  #4669 opened 5 months ago by MrSeccubus
  4

• `documentations/tools/sigma-logsource-checker.py` is broken

  #4666 opened 5 months ago by MrSeccubus
  1

• Detection of Rhysida Ransomware

  #4639 opened 5 months ago by nischalkhadgi62
  1

• c8b00925-926c-47e3-beea-298fd563728e Possible incorrect field/value pairing

  #4572 opened 6 months ago by Blackmore-Robert
  2

• 1de68c67-af5c-4097-9c85-fe5578e09e67 issue

  #4584 opened 6 months ago by swachchhanda000
  1

• ADFS Database Named Pipe Connection

  #4587 opened 6 months ago by celalettin-turgut
  0

• proc_creation_win_susp_bad_opsec_sacrificial_processes Chrome Installer False Positives

  #4613 opened 6 months ago by AaronS97
  2

• Adding Mitre Detection ID to Rule Tags

  #4622 opened 6 months ago by AdmU3
  3

• False positive: File Download From Browser Process Via Inline Link

  #4620 opened 6 months ago by ptvoinfo
  6

• Based on suspicious regedit changes sigma rules

  #4542 opened 7 months ago by HydraDragonAntivirus
  3

• Renamed Office Binary Execution: Add excelcnv.exe to filter

  #4566 opened 7 months ago by rkmbaxed
  2

• Uncommon Userinit Child Process: Add cmstart.exe to filter_optional_citrix

  #4569 opened 7 months ago by rkmbaxed
  2

• Bad Opsec Defaults Sacrificial Processes With Improper Arguments

  #4570 opened 7 months ago by celalettin-turgut
  2

• FP With Rule c649a6c7-cd8c-4a78-9c04-000fc76df954

  #4520 opened 7 months ago by mezzofix
  6

• Typo in readme

  #4554 opened 7 months ago by vj-codes
  2

• Bad Opsec Defaults Sacrificial Processes

  #4571 opened 7 months ago by celalettin-turgut
  1

• Packages Releases - "latest"

  #4499 opened 7 months ago by defensivedepth
  6

• Re-Work Rules / TODO

  #4430 opened 9 months ago by nasbench
  0

• FN on Potentially Suspicious Findstr.EXE Execution

  #4495 opened 7 months ago by Tuutaans
  2

• Suggestion of the rule proc_creation_win_curl_download_direct_ip

  #4465 opened 8 months ago by swachchhanda000
  4

• 75bf09fa-1dd7-4d18-9af9-dd9e492562eb False positive with outlook.exe

  #4432 opened 8 months ago by nekopep
  2

• Reduce broken links in references

  #4473 opened 8 months ago by martinspielmann
  4

• Officialize New Conditionals for More Complex Sigmas Rules - For Documentation Purposes Only

  #4474 opened 8 months ago by ish-icarocesar
  8

• Very weak hash based rules are trivial to bypass

  #4348 opened 8 months ago by scudette
  6

• Questions regarding base64 encoding styles and modifiers

  #4459 opened 8 months ago by L015H4CK
  0

• 7fd164ba-126a-4d9c-9392-0d4f7c243df0 should not alert on onenote application itself

  #4451 opened 9 months ago by nekopep
  1

• False positive for e3845023-ca9a-4024-b2b2-5422156d5527 and C:\WINDOWS\System32\poqexec.exe

  #4448 opened 9 months ago by nekopep
  1

• a21bcd7e-38ec-49ad-b69a-9ea17e69509e has a lot false positive related to office and webbrowsers

  #4449 opened 9 months ago by nekopep
  1

• question about wildcard and contains condition

  #4441 opened 9 months ago by gen3111620
  1

• improve 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 to detect DWservice

  #4438 opened 9 months ago by nekopep
  2

• 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f fasle positive with cmd.exe /C sc stop

  #4437 opened 9 months ago by nekopep
  4

• Rule under the wrong folder

  #4404 opened 9 months ago by ag-michael
  2

• correlate event 4625 and 4624

  #4370 opened 10 months ago by Hafzan-250601
  1

• Problem of writing a sigma rule

  #4368 opened 10 months ago by Nyk0la5
  1

• Rule for "gzip -f", atomic red references "gzip -k"

  #4363 opened 10 months ago by Mladia
  2

• Read event of MsMpEng.exe should be whitelisted

  #4349 opened a year ago by nekopep
  4