Kostas
2851ef5d16
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion fix: Sdiagnhost Calling Suspicious Child Process - Add new filters new: Antivirus Filter Driver Disallowed On Dev Drive - Registry new: ChromeLoader Malware Execution new: Emotet Loader Execution Via .LNK File new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC new: FakeUpdates/SocGholish Activity new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell new: HackTool - SharpWSUS/WSUSpendu Execution new: HackTool - SOAPHound Execution new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine new: Injected Browser Process Spawning Rundll32 - GuLoader Activity new: Kerberoasting Activity - Initial Query new: Manual Execution of Script Inside of a Compressed File new: Obfuscated PowerShell OneLiner Execution new: OneNote.EXE Execution of Malicious Embedded Scripts new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE new: Python Function Execution Security Warning Disabled In Excel new: Python Function Execution Security Warning Disabled In Excel - Registry new: Raspberry Robin Initial Execution From External Drive new: Raspberry Robin Subsequent Execution of Commands new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions new: Remote Access Tool - Ammy Admin Agent Execution new: Remote Access Tool - Cmd.EXE Execution via AnyViewer new: Serpent Backdoor Payload Execution Via Scheduled Task new: Uncommon Connection to Active Directory Web Services new: Ursnif Redirection Of Discovery Commands update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Sigma - Generic Signature Format for SIEM Systems
Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
Currently the repository offers three types of rules:
- Generic Detection Rules - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
- Threat Hunting Rules - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
- Emerging Threat Rules - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
Explore Sigma
To start exploring the Sigma ecosystem, please visit the official website sigmahq.io
What is Sigma
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.
The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what Snort is for network traffic and YARA is for files.
Why Sigma
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
🌟 Key Features
- A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
- Vendor agnostic detection rules.
- Easily shareable across communities and reports
🏗️ Rule Creation
To start writing Sigma rules please check the following guides:
🔎 Contributing & Making PRs
Please refer to the CONTRIBUTING guide for detailed instructions on how you can start contributing new rules.
📦 Rule Packages
You can download the latest rule packages from the release page and start leveraging Sigma rules today.
🧬 Rule Usage and Conversion
-
You can start converting Sigma rules today using Sigma CLI or sigconverter.io the GUI interface
-
To integrate Sigma rules in your own toolchain or products use pySigma.
🚨 Reporting False Positives or New Rule Ideas
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the GitHub repository by selecting one of the available templates.
📚 Resources & Further Reading
- Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke
- MITRE ATT&CK® and Sigma Alerting SANS Webcast Recording
- Sigma - Generic Signatures for SIEM Systems by Florian Roth
Projects or Products that use or integrate Sigma rules
- alterix - Converts Sigma rules to the query language of CRYPTTECH's SIEM
- AttackIQ - Sigma Rules integrated in AttackIQ's platform, and SigmAIQ for Sigma rule conversion and LLM apps
- Atomic Threat Coverage (Since December 2018)
- Confluent Sigma - Kafka Streams supported Sigma rules
- IBM QRadar
- Impede Detection Platform
- Joe Sandbox
- LimaCharlie
- MISP (Since Version 2.4.70, March 2017)
- Nextron's Aurora Agent
- Nextron's THOR Scanner - Scan with Sigma rules on endpoints
- RANK VASA
- Sekoia.io XDR - XDR supporting Sigma and Sigma Correlation rules languages
- sigma2stix - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.
- A versioned archive of sigma2stix STIX 2.1 data is also available to download here.
- SIΣGMA - SIEM consumable generator that utilizes Sigma for query conversion
- SOC Prime
- TA-Sigma-Searches (Splunk App)
- TimeSketch
- ypsilon - Automated Use Case Testing
📜 Maintainers
- Nasreddine Bencherchali (@nas_bench)
- Florian Roth (@cyb3rops)
- Christian Burkard (@phantinuss)
- François Hubaut (@frack113)
- Thomas Patzke (@blubbfiction)
Credits
This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
Licenses
The content of this repository is released under the Detection Rule License (DRL) 1.1.