Skip to content

Releases: SigmaHQ/sigma

Release r2024-09-02

02 Sep 18:30
7f0f7ee
Compare
Choose a tag to compare

New Rules

  • new: Access To Chromium Browsers Sensitive Files By Uncommon Applications
  • new: Access To Crypto Currency Wallets By Uncommon Applications
  • new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
  • new: Capsh Shell Invocation - Linux
  • new: ChromeLoader Malware Execution
  • new: Clipboard Data Collection Via Pbpaste
  • new: Data Export From MSSQL Table Via BCP.EXE
  • new: Disk Image Creation Via Hdiutil - MacOS
  • new: Disk Image Mounting Via Hdiutil - MacOS
  • new: DNS Query To Put.io - DNS Client
  • new: Driver Added To Disallowed Images In HVCI - Registry
  • new: Emotet Loader Execution Via .LNK File
  • new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
  • new: FakeUpdates/SocGholish Activity
  • new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
  • new: Github Fork Private Repositories Setting Enabled/Cleared
  • new: Github Repository/Organization Transferred
  • new: Github SSH Certificate Configuration Changed
  • new: HackTool - SharpWSUS/WSUSpendu Execution
  • new: HackTool - SOAPHound Execution
  • new: Headless Process Launched Via Conhost.EXE
  • new: Hidden Flag Set On File/Directory Via Chflags - MacOS
  • new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
  • new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
  • new: Inline Python Execution - Spawn Shell Via OS System Library
  • new: Kerberoasting Activity - Initial Query
  • new: Manual Execution of Script Inside of a Compressed File
  • new: Microsoft Teams Sensitive File Access By Uncommon Application
  • new: Multi Factor Authentication Disabled For User Account
  • new: Obfuscated PowerShell OneLiner Execution
  • new: OneNote.EXE Execution of Malicious Embedded Scripts
  • new: Potential APT FIN7 Exploitation Activity
  • new: Potential BOINC Software Execution (UC-Berkeley Signature)
  • new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for e0552b19-5a83-4222-b141-b36184bb8d79
  • new: Potential CSharp Streamer RAT Loading .NET Executable Image
  • new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
  • new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
  • new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
  • new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
  • new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
  • new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
  • new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
  • new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
  • new: Potential File Override/Append Via SET Command
  • new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  • new: Potential Raspberry Robin Aclui Dll SideLoading
  • new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
  • new: Potentially Suspicious Rundll32.EXE Execution of UDL File
  • new: Powershell Executed From Headless ConHost Process
  • new: Process Launched Without Image Name
  • new: Python Function Execution Security Warning Disabled In Excel
  • new: Python Function Execution Security Warning Disabled In Excel - Registry
  • new: Raspberry Robin Initial Execution From External Drive
  • new: Raspberry Robin Subsequent Execution of Commands
  • new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
  • new: Remote Access Tool - Ammy Admin Agent Execution
  • new: Remote Access Tool - AnyDesk Incoming Connection
  • new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
  • new: Renamed BOINC Client Execution
  • new: Serpent Backdoor Payload Execution Via Scheduled Task
  • new: Shell Execution GCC - Linux
  • new: Shell Execution via Find - Linux
  • new: Shell Execution via Flock - Linux
  • new: Shell Execution via Git - Linux
  • new: Shell Execution via Nice - Linux
  • new: Shell Execution via Rsync - Linux
  • new: Shell Invocation via Env Command - Linux
  • new: Shell Invocation Via Ssh - Linux
  • new: Suspicious Invocation of Shell via AWK - Linux
  • new: Suspicious Process Masquerading As SvcHost.EXE
  • new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
  • new: Unattend.XML File Access Attempt
  • new: Uncommon Connection to Active Directory Web Services
  • new: Ursnif Redirection Of Discovery Commands
  • new: User Risk and MFA Registration Policy Updated

Updated Rules

  • update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder
  • update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder
  • update: Access To Windows Credential History File By Uncommon Applications - Update filters
  • update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters
  • update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder
  • update: Antivirus Exploitation Framework Detection - Add additional keywords and strings to enhance coverage
  • update: Antivirus Hacktool Detection - Add additional keywords and strings to enhance coverage
  • update: Antivirus Password Dumper Detection - Add additional keywords and strings to enhance coverage
  • update: Antivirus Ransomware Detection - Add additional keywords and strings to enhance coverage
  • update: Antivirus Relevant File Paths Alerts - Add additional keywords and strings to enhance coverage
  • update: Antivirus Web Shell Detection - Add additional keywords and strings to enhance coverage
  • update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Cab File Extraction Via Wusa.EXE - Move to TH folder
  • update: COM Object Execution via Xwizard.EXE - Update logic
  • update: Credential Manager Access By Uncommon Applications - Update filters
  • update: Disable Important Scheduled Task - Add \Windows\ExploitGuard\ExploitGuard MDM policy Refresh
  • update: Github High Risk Configuration Disabled - Add business_advanced_security.disabled, business_advanced_security.disabled_for_new_repos, business_advanced_security.disabled_for_new_user_namespace_repos, business_advanced_security.user_namespace_repos_disabled, org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos
  • update: Github Secret Scanning Feature Disabled - Add secret_scanning_new_repos.disable
  • update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
  • update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
  • update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
  • update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
  • update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
  • update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys.
  • update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value.
  • update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
  • update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
  • update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Powershell Token Obfuscation - Powershell - Optimized used regex
  • update: Powershell Token Obfuscation - Process Creation - Optimized used regex
  • update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
  • update: Relevant Anti-Virus Signature Keywords In Application Log - Add additional keywords and strings to enhance coverage
  • update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update: Suspicious Remote AppX Package Locations - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
  • update...
Read more

Release r2024-07-17

17 Jul 09:37
af9ffdb
Compare
Choose a tag to compare

New Rules

  • new: BitlockerTogo.EXE Execution
  • new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
  • new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
  • new: Communication To LocaltoNet Tunneling Service Initiated
  • new: Communication To LocaltoNet Tunneling Service Initiated - Linux
  • new: DNS Query To AzureWebsites.NET By Non-Browser Process
  • new: DPAPI Backup Keys And Certificate Export Activity IOC
  • new: DSInternals Suspicious PowerShell Cmdlets
  • new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
  • new: DarkGate - Drop DarkGate Loader In C:\Temp Directory
  • new: Directory Service Restore Mode(DSRM) Registry Value Tampering
  • new: File Download Via Nscurl - MacOS
  • new: Files With System DLL Name In Unsuspected Locations
  • new: HackTool - Evil-WinRm Execution - PowerShell Module
  • new: HackTool - LaZagne Execution
  • new: HackTool - RemoteKrbRelay Execution
  • new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
  • new: HackTool - SharpDPAPI Execution
  • new: Hypervisor Enforced Paging Translation Disabled
  • new: Ingress/Egress Security Group Modification
  • new: Kapeka Backdoor Autorun Persistence
  • new: Kapeka Backdoor Configuration Persistence
  • new: Kapeka Backdoor Execution Via RunDLL32.EXE
  • new: Kapeka Backdoor Loaded Via Rundll32.EXE
  • new: Kapeka Backdoor Persistence Activity
  • new: Kapeka Backdoor Scheduled Task Creation
  • new: Kubernetes Admission Controller Modification
  • new: Kubernetes CronJob/Job Modification
  • new: Kubernetes Rolebinding Modification
  • new: Kubernetes Secrets Modified or Deleted
  • new: Kubernetes Unauthorized or Unauthenticated Access
  • new: LoadBalancer Security Group Modification
  • new: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
  • new: Microsoft Word Add-In Loaded
  • new: Network Communication Initiated To Portmap.IO Domain
  • new: Network Connection Initiated From Users\Public Folder
  • new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
  • new: Network Connection Initiated To Cloudflared Tunnels Domains
  • new: New File Exclusion Added To Time Machine Via Tmutil - MacOS
  • new: New Network ACL Entry Added
  • new: New Network Route Added
  • new: PDF File Created By RegEdit.EXE
  • new: Periodic Backup For System Registry Hives Enabled
  • new: Potential DLL Sideloading Of DbgModel.DLL
  • new: Potential DLL Sideloading Of MpSvc.DLL
  • new: Potential DLL Sideloading Of MsCorSvc.DLL
  • new: Potential Kapeka Decrypted Backdoor Indicator
  • new: Potential Malicious Usage of CloudTrail System Manager
  • new: Potential Suspicious Browser Launch From Document Reader Process
  • new: Potentially Suspicious Usage Of Qemu
  • new: RDS Database Security Group Modification
  • new: Renamed Microsoft Teams Execution
  • new: System Information Discovery Via Sysctl - MacOS
  • new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
  • new: Time Machine Backup Disabled Via Tmutil - MacOS
  • new: Uncommon File Creation By Mysql Daemon Process
  • new: Uncommon Process Access Rights For Target Image
  • new: Windows LAPS Credential Dump From Entra ID
  • new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
  • new: Windows Recall Feature Enabled - Registry
  • new: Windows Recall Feature Enabled Via Reg.EXE

Updated Rules

  • update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
  • update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
  • update: CA Policy Updated by Non Approved Actor - detect using a map of fields instead of a list
  • update: Cloudflared Tunnels Related DNS Requests - Update description and related field
  • update: Copying Sensitive Files with Credential Data - Use "windash" modifier
  • update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
  • update: Explorer Process Tree Break - Use "windash" modifier
  • update: Files With System Process Name In Unsuspected Locations - Remove old filter
  • update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
  • update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
  • update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
  • update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
  • update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional file paths
  • update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
  • update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional file paths
  • update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
  • update: Network Connection Initiated To Mega.nz - Reduce level to "low"
  • update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
  • update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
  • update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
  • update: Okta New Admin Console Behaviours - update to reflect Okta log data structure
  • update: Outbound Network Connection Initiated By Cmstp.EXE - Exclude local IPs and ranges
  • update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
  • update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
  • update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
  • update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
  • update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
  • update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
  • update: Potential System DLL Sideloading From Non System Locations - Add new entries to increase coverage
  • update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
  • update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
  • update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
  • update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
  • update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
  • update: Rare Remote Thread Creation By Uncommon Source Image - Add dialer.exe
  • update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
  • update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
  • update: Remote Thread Creation By Uncommon Source Image - Update filters
  • update: Remote Thread Creation In Uncommon Target Image - Update filters
  • update: Renamed ProcDump Execution - Add new flag option
  • update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
  • update: Suspicious Electron Application Child Processes - Remove unnecessary filters
  • update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
  • update: System File Execution Location Anomaly - Enhance filters
  • update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
  • update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
  • update: Windows Defender Threat De...
Read more

Release r2024-05-13

13 May 17:50
ed789f5
Compare
Choose a tag to compare

New Rules

  • new: Access To Windows Outlook Mail Files By Uncommon Application
  • new: All Backups Deleted Via Wbadmin.EXE
  • new: File Recovery From Backup Via Wbadmin.EXE
  • new: Launch Agent/Daemon Execution Via Launchctl
  • new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
  • new: New RDP Connection Initiated From Domain Controller
  • new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  • new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  • new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
  • new: Potentially Suspicious Child Process Of KeyScrambler.exe
  • new: Potentially Suspicious Malware Callback Communication - Linux
  • new: Sensitive File Dump Via Wbadmin.EXE
  • new: Sensitive File Recovery From Backup Via Wbadmin.EXE
  • new: Suspicious External WebDAV Execution
  • new: UAC Notification Disabled
  • new: UAC Secure Desktop Prompt Disabled

Updated Rules

  • update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
  • update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
  • update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
  • update: UAC Disabled - update metadata
  • update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
  • update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
  • update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

Removed / Deprecated Rules

  • remove: Search-ms and WebDAV Suspicious Indicators in URL

Fixed Rules

  • fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier

Acknowledgement

Thanks to @ahmedfarou22, @frack113, @hasselj, @joshnck, @nasbench, @pratinavchandra, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-04-29

29 Apr 20:09
39db804
Compare
Choose a tag to compare

New Rules

  • new: Cisco Duo Successful MFA Authentication Via Bypass Code
  • new: Forest Blizzard APT - Custom Protocol Handler Creation
  • new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
  • new: Forest Blizzard APT - File Creation Activity
  • new: Forest Blizzard APT - JavaScript Constrained File Creation
  • new: Forest Blizzard APT - Process Creation Activity
  • new: Network Connection Initiated By RegAsm.EXE
  • new: Outbound Network Connection Initiated By Microsoft Dialer
  • new: PUA - SoftPerfect Netscan Execution
  • new: Pnscan Binary Data Transmission Activity
  • new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
  • new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
  • new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
  • new: Potential KeyScrambler.exe DLL Side-loading
  • new: Python Path Configuration File Creation - Linux
  • new: Python Path Configuration File Creation - Macos
  • new: Python Path Configuration File Creation - Windows

Updated Rules

  • update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
  • update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
  • update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
  • update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
  • update: COM Object Execution via Xwizard.EXE - Update logic
  • update: Gatekeeper Bypass via Xattr - Update command line flag
  • update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
  • update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
  • update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
  • update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI
  • update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI
  • update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI
  • update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard
  • update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI
  • update: JScript Compiler Execution - Update metadata
  • update: Linux Command History Tampering - Increase coverage to include other history files
  • update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
  • update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
  • update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
  • update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
  • update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
  • update: Suspicious Volume Shadow Copy VSS_PS.dll Load - regularly loaded by wsmprovhost.exe
  • update: Windows Kernel Debugger Execution - Reduce level to "medium"
  • update: Xwizard.EXE Execution From Non-Default Location - Update description

Fixed Rules

  • fix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out "chrome" and "firefox" processes.
  • fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
  • fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
  • fix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal
  • fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
  • fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
  • fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
  • fix: Windows Binaries Write Suspicious Extensions - fix selection

Acknowledgement

Thanks to @CertainlyP, @dan21san, @frack113, @fukusuket, @jamesc-grafana, @nasbench, @Neo23x0, @netgrain, @nikitah4x, @phantinuss, @PiRomant, @pratinavchandra, @ruppde, @signalblur, @swachchhanda000, @TheLawsOfChaos, @thomaspatzke, @X-Junior, @ya0guang for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-03-26

26 Mar 19:14
f0395b8
Compare
Choose a tag to compare

New Rules

  • new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
  • new: Certificate-Based Authentication Enabled
  • new: Container With A hostPath Mount Created
  • new: Creation Of Pod In System Namespace
  • new: Deployment Deleted From Kubernetes Cluster
  • new: Kubernetes Events Deleted
  • new: Kubernetes Secrets Enumeration
  • new: MaxMpxCt Registry Value Changed
  • new: New Kubernetes Service Account Created
  • new: New Root Certificate Authority Added
  • new: Potential KamiKakaBot Activity - Lure Document Execution
  • new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
  • new: Potential KamiKakaBot Activity - Winlogon Shell Persistence
  • new: Potential Remote Command Execution In Pod Container
  • new: Potential Sidecar Injection Into Running Deployment
  • new: Privileged Container Deployed
  • new: RBAC Permission Enumeration Attempt
  • new: Remote Access Tool - Team Viewer Session Started On Linux Host
  • new: Remote Access Tool - Team Viewer Session Started On MacOS Host
  • new: Remote Access Tool - Team Viewer Session Started On Windows Host
  • new: Service Binary in User Controlled Folder

Updated Rules

  • update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
  • update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
  • update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
  • update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
  • update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
  • update: Communication To Uncommon Destination Ports - Add link-local address range
  • update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
  • update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
  • update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
  • update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
  • update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
  • update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
  • update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
  • update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
  • update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
  • update: Exports Registry Key To a File - Update rule to use the windash modifier
  • update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
  • update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
  • update: Imports Registry Key From a File - Update rule to use the windash modifier
  • update: Imports Registry Key From an ADS - Update rule to use the windash modifier
  • update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
  • update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
  • update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
  • update: Msiexec Quiet Installation - Update rule to use the windash modifier
  • update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
  • update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
  • update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
  • update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
  • update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
  • update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
  • update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
  • update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
  • update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
  • update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
  • update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
  • update: Potentially Suspicious Malware Callback Communication - Add link-local address range
  • update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
  • update: Publicly Accessible RDP Service - Add link-local address range
  • update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
  • update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
  • update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
  • update: Replace.exe Usage - Update rule to use the windash modifier
  • update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
  • update: Rundll32 Internet Connection - Add link-local address range
  • update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
  • update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
  • update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
  • update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
  • update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
  • update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic
  • update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
  • update: Suspicious DNS Query for IP Lookup Service APIs - Fix ip.cn
  • update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
  • update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
  • update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
  • update: Suspicious Network Connection to IP Lookup Service APIs - Fix ip.cn
  • update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
  • update: Sysmon Configuration Update - Update rule to use the windash modifier
  • update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
  • update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
  • update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
  • update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
  • update: WebDav Put Request - Update rule to use cidr modifier
  • update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

Removed / Deprecated Rules

  • remove: Adwind RAT / JRAT - Registry
  • remove: Service Binary in Uncommon Folder

Fixed Rules

  • fix: EVTX Created In Uncommon Location - Reduce level and remove filters
  • fix: Files With System Process Name In Unsuspected Locations - Add additional paths
  • fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
  • fix: New RUN Key Pointing to Suspicious Folder
  • fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs

Acknowledgement

Thanks to @cyb3rjy0t, @frack113, @joshnck, @LAripping , @nasbench, @phantinuss, @security-companion, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-03-11

11 Mar 20:22
1758511
Compare
Choose a tag to compare

New Rules

  • new: Active Directory Certificate Services Denied Certificate Enrollment Request
  • new: CrackMapExec File Indicators
  • new: Github Push Protection Bypass Detected
  • new: Github Push Protection Disabled
  • new: Github Secret Scanning Feature Disabled
  • new: No Suitable Encryption Key Found For Generating Kerberos Ticket
  • new: OpenCanary - FTP Login Attempt
  • new: OpenCanary - GIT Clone Request
  • new: OpenCanary - HTTP GET Request
  • new: OpenCanary - HTTP POST Login Attempt
  • new: OpenCanary - HTTPPROXY Login Attempt
  • new: OpenCanary - MSSQL Login Attempt Via SQLAuth
  • new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
  • new: OpenCanary - MySQL Login Attempt
  • new: OpenCanary - NTP Monlist Request
  • new: OpenCanary - REDIS Action Command Attempt
  • new: OpenCanary - SIP Request
  • new: OpenCanary - SMB File Open Request
  • new: OpenCanary - SNMP OID Request
  • new: OpenCanary - SSH Login Attempt
  • new: OpenCanary - SSH New Connection Attempt
  • new: OpenCanary - TFTP Request
  • new: OpenCanary - Telnet Login Attempt
  • new: OpenCanary - VNC Connection Attempt
  • new: Potential Raspberry Robin CPL Execution Activity
  • new: Potential SentinelOne Shell Context Menu Scan Command Tampering
  • new: Renamed NirCmd.EXE Execution
  • new: Shell Context Menu Command Tampering

Updated Rules

  • update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
  • update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
  • update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Add more potential child process seen in the wild
  • update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
  • update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.

Removed / Deprecated Rules

  • remove: CrackMapExec File Creation Patterns
  • remove: Suspicious Epmap Connection

Fixed Rules

  • fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
  • fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
  • fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
  • fix: Remote Thread Creation In Uncommon Target Image - add optional filter for the Xerox Print Job Event Manager Service calling spoolsrv
  • fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list

Acknowledgement

Thanks to @benmontour, @CrimpSec, @defensivedepth, @faisalusuf, @frack113, @nasbench, @qasimqlf, @secDre4mer, @snajafov, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-02-26

26 Feb 21:58
6b8cd1f
Compare
Choose a tag to compare

New Rules

  • new: AWS Console GetSigninToken Potential Abuse
  • new: Bitbucket Audit Log Configuration Updated
  • new: Bitbucket Full Data Export Triggered
  • new: Bitbucket Global Permission Changed
  • new: Bitbucket Global SSH Settings Changed
  • new: Bitbucket Global Secret Scanning Rule Deleted
  • new: Bitbucket Project Secret Scanning Allowlist Added
  • new: Bitbucket Secret Scanning Exempt Repository Added
  • new: Bitbucket Secret Scanning Rule Deleted
  • new: Bitbucket Unauthorized Access To A Resource
  • new: Bitbucket Unauthorized Full Data Export Triggered
  • new: Bitbucket User Details Export Attempt Detected
  • new: Bitbucket User Login Failure
  • new: Bitbucket User Login Failure Via SSH
  • new: Bitbucket User Permissions Export Attempt
  • new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
  • new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
  • new: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
  • new: DNS Query Request To OneLaunch Update Service
  • new: DPRK Threat Actor - C2 Communication DNS Indicators
  • new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
  • new: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
  • new: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
  • new: Remote Access Tool - ScreenConnect Remote Execution
  • new: Remote Access Tool - ScreenConnect Server Web Shell Execution
  • new: Remote Access Tool - Simple Help Execution
  • new: ScreenConnect - SlashAndGrab Exploitation Indicators
  • new: ScreenConnect User Database Modification
  • new: ScreenConnect User Database Modification - Security
  • new: Suspicious File Download From IP Via Wget.EXE - Paths
  • new: User Added To Highly Privileged Group

Updated Rules

  • update: APT User Agent - Add UA used by RedCurl APT
  • update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
  • update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
  • update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
  • update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
  • update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
  • update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass
  • update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
  • update: Remote Access Tool - ScreenConnect Installation Execution - Reduce level to medium
  • update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Update logic and reduce the level to medium
  • update: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting - Move the rule to Hunting
  • update: Remote Access Tool - ScreenConnect Remote Command Execution - Reduce level to low
  • update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
  • update: Suspicious PowerShell IEX Execution Patterns - Enhance coverage by adding new "IEX" variant
  • update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
  • update: Weak or Abused Passwords In CLI - Add additional password seen abused in the wild

Removed / Deprecated Rules

  • remove: CobaltStrike Malformed UAs in Malleable Profiles
  • remove: CobaltStrike Malleable (OCSP) Profile
  • remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
  • remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
  • remove: Rundll32 JS RunHTMLApplication Pattern
  • remove: Suspicious Rundll32 Script in CommandLine
  • remove: iOS Implant URL Pattern

Acknowledgement

Thanks to @clebron23, @faisalusuf, @frack113, @joshnck, @MalGamy, @MATTANDERS0N, @nasbench, @qasimqlf, @RG9n for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-02-12

12 Feb 18:46
7509f6a
Compare
Choose a tag to compare

New Rules

  • new: Exploitation Indicator Of CVE-2022-42475
  • new: Interesting Service Enumeration Via Sc.EXE
  • new: Loaded Module Enumeration Via Tasklist.EXE
  • new: New Self Extracting Package Created Via IExpress.EXE
  • new: Potentially Suspicious Self Extraction Directive File Created
  • new: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
  • new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
  • new: Self Extraction Directive File Created In Potentially Suspicious Location
  • new: System Disk And Volume Reconnaissance Via Wmic.EXE

Updated Rules

  • update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
  • update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
  • update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
  • update: HH.EXE Initiated HTTP Network Connection - Update list of ports
  • update: Hacktool Execution - Imphash - Add EventLogCrasher imphash
  • update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
  • update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
  • update: Network Connection Initiated To Mega.nz - Update domains
  • update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
  • update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
  • update: Potential Dead Drop Resolvers - Add abuse.ch
  • update: Potential Dead Drop Resolvers - Update domains and filters
  • update: RDP Sensitive Settings Changed - Add DisableRemoteDesktopAntiAlias and DisableSecuritySettings as seen used by DarkGate malware
  • update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
  • update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL
  • update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
  • update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
  • update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
  • update: Suspicious File Download From File Sharing Websites - Add additional domains
  • update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
  • update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
  • update: Suspicious Remote AppX Package Locations - Add additional domains
  • update: Unusual File Download From File Sharing Websites - Add additional domains

Removed / Deprecated Rules

  • remove: Suspicious Non-Browser Network Communication With Reddit API

Fixed Rules

  • fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
  • fix: HackTool - EDRSilencer Execution - Filter Added - Fix error in logsource
  • fix: Outbound RDP Connections Over Non-Standard Tools - Add missing field name
  • fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
  • fix: Potential Dropper Script Execution Via WScript/CScript - Fix error in rule status
  • fix: Potential Fake Instance Of Hxtsr.EXE Executed - Use Image field in filter
  • fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
  • fix: SC.EXE Query Execution - Add keybase filter
  • fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers

Acknowledgement

Thanks to @douglasrose75, @frack113, @jstnk9, @nasbench, @Neo23x0, @omaramin17, @phantinuss, @prashanthpulisetti, @qasimqlf, @slincoln-aiq, @swachchhanda000, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-01-29

29 Jan 18:30
be359ef
Compare
Choose a tag to compare

New Rules

  • new: CodePage Modification Via MODE.COM
  • new: CodePage Modification Via MODE.COM To Russian Language
  • new: HackTool - EDRSilencer Execution - Filter Added
  • new: HackTool - SharpMove Tool Execution
  • new: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
  • new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
  • new: Unsigned DLL Loaded by RunDLL32/RegSvr32

Updated Rules

  • update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
  • update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
  • update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
  • update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
  • update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
  • update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
  • update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
  • update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
  • update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
  • update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
  • update: Network Communication With Crypto Mining Pool - new domains from miningocean.org
  • update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
  • update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
  • update: New or Renamed User Account with '$' Character - Reduced level to "medium"
  • update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
  • update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
  • update: Potential Pikabot C2 Activity - Added "searchfilterhost.exe"
  • update: Potential Pikabot Discovery Activity - Added "SearchProtocolHost.exe" and "SearchFilterHost.exe"
  • update: Potential Pikabot Hollowing Activity - Added "searchfilterhost"
  • update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
  • update: Prefetch File Deleted - Update selection to remove 'C:' prefix
  • update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
  • update: Rundll32 Execution With Uncommon DLL Extension - Enhanced FP filters
  • update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
  • update: Shell Process Spawned by Java.EXE - Add "bash.exe"
  • update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
  • update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
  • update: Sysmon Application Crashed - Add 32bit version of sysmon binary
  • update: Tap Driver Installation - Security - Reduce level to "low"
  • update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it

Removed / Deprecated Rules

  • remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
  • remove: SAM Dump to AppData

Fixed Rules

  • fix: CobaltStrike Named Pipe Patterns - Add Websense named pipe filter
  • fix: EventLog Query Requests By Builtin Utilities - Typo in wmic process name
  • fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
  • fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
  • fix: Metasploit SMB Authentication - Remove unnecessary field
  • fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
  • fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
  • fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
  • fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
  • fix: Service Installation in Suspicious Folder - Update FP filter
  • fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic

Acknowledgement

Thanks to @CrimpSec, @frack113, @jstnk9, @nasbench, @phantinuss, @qasimqlf, @slincoln-aiq, @swachchhanda000, @t-pol, @tr0mb1r, @xiangchen96 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-01-15

15 Jan 18:31
r2024-01-15
3fb5392
Compare
Choose a tag to compare

New Rules

  • new: Binary Proxy Execution Via Dotnet-Trace.EXE
  • new: Forfiles.EXE Child Process Masquerading
  • new: GCP Access Policy Deleted
  • new: GCP Break-glass Container Workload Deployed
  • new: Google Workspace Application Access Levels Modified
  • new: HackTool - EDRSilencer Execution
  • new: HackTool - NoFilter Execution
  • new: PUA - PingCastle Execution
  • new: PUA - PingCastle Execution From Potentially Suspicious Parent
  • new: Peach Sandstorm APT Process Activity Indicators
  • new: Potential Peach Sandstorm APT C2 Communication Activity
  • new: Potential Persistence Via AppCompat RegisterAppRestart Layer
  • new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
  • new: Renamed PingCastle Binary Execution
  • new: System Control Panel Item Loaded From Uncommon Location
  • new: System Information Discovery Using System_Profiler
  • new: System Integrity Protection (SIP) Disabled
  • new: System Integrity Protection (SIP) Enumeration
  • new: Windows Filtering Platform Blocked Connection From EDR Agent Binary

Updated Rules

  • update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
  • update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
  • update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
  • update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
  • update: Hacktool Named File Stream Created - Added new Imphash values for EDRSandBlast, EDRSilencer and Forensia utilities.
  • update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
  • update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
  • update: Potential Persistence Via MyComputer Registry Keys - Remove SOFTWARE registry key anchor to increase coverage for WOW6432Node cases
  • update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
  • update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
  • update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
  • update: Remote PowerShell Session (PS Classic) - Reduce level to low
  • update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
  • update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
  • update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
  • update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
  • update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs

Removed / Deprecated Rules

  • remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.

Fixed Rules

  • fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
  • fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
  • fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
  • fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
  • fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools

Acknowledgement

Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.