security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf
sigma-rules/hunting/windows/docs
T
History
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00
..
createremotethread_by_source_process_with_low_occurrence.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
detect_masquerading_attempts_as_native_windows_binaries.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
detect_rare_dll_sideload_by_occurrence.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
detect_rare_lsass_process_access_attempts.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
drivers_load_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
excessive_rdp_network_activity_by_source_host_and_user.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
excessive_smb_network_activity_by_process_id.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
executable_file_creation_by_an_unusual_microsoft_binary.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_remote_services_by_client_address.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_startup_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_windows_scheduled_task_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
execution_via_windows_services_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
high_count_of_network_connection_over_extended_period_by_process.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
libraries_loaded_by_svchost_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
microsoft_office_child_processes_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
network_discovery_via_sensitive_ports_by_unusual_process.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
pe_file_transfer_via_smb_admin_shares_by_agent.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
persistence_via_run_key_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
persistence_via_startup_with_low_occurrence_frequency.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
potential_exfiltration_by_process_total_egress_bytes.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
rundll32_execution_aggregated_by_cmdline.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
scheduled_task_creation_by_action_via_registry.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
scheduled_tasks_creation_for_unique_hosts_by_task_command.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
suspicious_base64_encoded_powershell_commands.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
suspicious_dns_txt_record_lookups_by_process.md
[New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988)
2024-09-04 10:08:44 -04:00
unique_windows_services_creation_by_servicefilename.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
windows_command_and_scripting_interpreter_from_unusual_parent.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00
windows_logon_activity_by_source_ip.md
[Bug] Normalize Hunting Index Link Generation (#3872)
2024-07-10 11:01:59 -04:00