Using Sigma and Elastalert for HAFNIUM Detection #3326
Replies: 1 comment 2 replies
-
|
Also look for |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Also process name of getmac.exe |
Beta Was this translation helpful? Give feedback.
-
|
Are there any examples of how to do this? This would be a great way to learn for n00bs like me :) |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Here are some sigma rules you can drop into playbook for detecting HAFNIUM.
Some network related detections:
https://gist.github.com/TOoSmOotH/56a7f93b4c50d936ffc67600bea606c0
The following are useful if you are pulling in sysmon logs:
https://github.com/SigmaHQ/sigma/blob/73a3a1e5cd0a4d50d53b2b5039a6e7702b4b80be/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml
https://github.com/SigmaHQ/sigma/blob/73a3a1e5cd0a4d50d53b2b5039a6e7702b4b80be/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
Beta Was this translation helpful? Give feedback.
All reactions