Using Sigma and Elastalert for HAFNIUM Detection #3326
Replies: 1 comment 2 replies
-
|
Also look for |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Also process name of getmac.exe |
Beta Was this translation helpful? Give feedback.
-
|
Are there any examples of how to do this? This would be a great way to learn for n00bs like me :) |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Here are some sigma rules you can drop into playbook for detecting HAFNIUM.
Some network related detections:
https://gist.github.com/TOoSmOotH/56a7f93b4c50d936ffc67600bea606c0
The following are useful if you are pulling in sysmon logs:
https://github.com/SigmaHQ/sigma/blob/73a3a1e5cd0a4d50d53b2b5039a6e7702b4b80be/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml
https://github.com/SigmaHQ/sigma/blob/73a3a1e5cd0a4d50d53b2b5039a6e7702b4b80be/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
Beta Was this translation helpful? Give feedback.
All reactions