Sigma Versions Save

Main Sigma Rule Repository

r2024-03-26

1 month ago

New Rules

new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
new: Certificate-Based Authentication Enabled
new: Container With A hostPath Mount Created
new: Creation Of Pod In System Namespace
new: Deployment Deleted From Kubernetes Cluster
new: Kubernetes Events Deleted
new: Kubernetes Secrets Enumeration
new: MaxMpxCt Registry Value Changed
new: New Kubernetes Service Account Created
new: New Root Certificate Authority Added
new: Potential KamiKakaBot Activity - Lure Document Execution
new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
new: Potential KamiKakaBot Activity - Winlogon Shell Persistence
new: Potential Remote Command Execution In Pod Container
new: Potential Sidecar Injection Into Running Deployment
new: Privileged Container Deployed
new: RBAC Permission Enumeration Attempt
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
new: Service Binary in User Controlled Folder

Updated Rules

update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
update: Communication To Uncommon Destination Ports - Add link-local address range
update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
update: Exports Registry Key To a File - Update rule to use the windash modifier
update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
update: Imports Registry Key From a File - Update rule to use the windash modifier
update: Imports Registry Key From an ADS - Update rule to use the windash modifier
update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
update: Msiexec Quiet Installation - Update rule to use the windash modifier
update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
update: Potentially Suspicious Malware Callback Communication - Add link-local address range
update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
update: Publicly Accessible RDP Service - Add link-local address range
update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
update: Replace.exe Usage - Update rule to use the windash modifier
update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
update: Rundll32 Internet Connection - Add link-local address range
update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic
update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
update: Suspicious DNS Query for IP Lookup Service APIs - Fix ip.cn
update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
update: Suspicious Network Connection to IP Lookup Service APIs - Fix ip.cn
update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
update: Sysmon Configuration Update - Update rule to use the windash modifier
update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
update: WebDav Put Request - Update rule to use cidr modifier
update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

Removed / Deprecated Rules

remove: Adwind RAT / JRAT - Registry
remove: Service Binary in Uncommon Folder

Fixed Rules

fix: EVTX Created In Uncommon Location - Reduce level and remove filters
fix: Files With System Process Name In Unsuspected Locations - Add additional paths
fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
fix: New RUN Key Pointing to Suspicious Folder
fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs

Acknowledgement

Thanks to @cyb3rjy0t, @frack113, @joshnck, @LAripping , @nasbench, @phantinuss, @security-companion, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2024-03-11

1 month ago

New Rules

new: Active Directory Certificate Services Denied Certificate Enrollment Request
new: CrackMapExec File Indicators
new: Github Push Protection Bypass Detected
new: Github Push Protection Disabled
new: Github Secret Scanning Feature Disabled
new: No Suitable Encryption Key Found For Generating Kerberos Ticket
new: OpenCanary - FTP Login Attempt
new: OpenCanary - GIT Clone Request
new: OpenCanary - HTTP GET Request
new: OpenCanary - HTTP POST Login Attempt
new: OpenCanary - HTTPPROXY Login Attempt
new: OpenCanary - MSSQL Login Attempt Via SQLAuth
new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
new: OpenCanary - MySQL Login Attempt
new: OpenCanary - NTP Monlist Request
new: OpenCanary - REDIS Action Command Attempt
new: OpenCanary - SIP Request
new: OpenCanary - SMB File Open Request
new: OpenCanary - SNMP OID Request
new: OpenCanary - SSH Login Attempt
new: OpenCanary - SSH New Connection Attempt
new: OpenCanary - TFTP Request
new: OpenCanary - Telnet Login Attempt
new: OpenCanary - VNC Connection Attempt
new: Potential Raspberry Robin CPL Execution Activity
new: Potential SentinelOne Shell Context Menu Scan Command Tampering
new: Renamed NirCmd.EXE Execution
new: Shell Context Menu Command Tampering

Updated Rules

update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Add more potential child process seen in the wild
update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.

Removed / Deprecated Rules

remove: CrackMapExec File Creation Patterns
remove: Suspicious Epmap Connection

Fixed Rules

fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
fix: Remote Thread Creation In Uncommon Target Image - add optional filter for the Xerox Print Job Event Manager Service calling spoolsrv
fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list

Acknowledgement

Thanks to @benmontour, @CrimpSec, @defensivedepth, @faisalusuf, @frack113, @nasbench, @qasimqlf, @secDre4mer, @snajafov, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2024-02-26

2 months ago

New Rules

new: AWS Console GetSigninToken Potential Abuse
new: Bitbucket Audit Log Configuration Updated
new: Bitbucket Full Data Export Triggered
new: Bitbucket Global Permission Changed
new: Bitbucket Global SSH Settings Changed
new: Bitbucket Global Secret Scanning Rule Deleted
new: Bitbucket Project Secret Scanning Allowlist Added
new: Bitbucket Secret Scanning Exempt Repository Added
new: Bitbucket Secret Scanning Rule Deleted
new: Bitbucket Unauthorized Access To A Resource
new: Bitbucket Unauthorized Full Data Export Triggered
new: Bitbucket User Details Export Attempt Detected
new: Bitbucket User Login Failure
new: Bitbucket User Login Failure Via SSH
new: Bitbucket User Permissions Export Attempt
new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
new: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
new: DNS Query Request To OneLaunch Update Service
new: DPRK Threat Actor - C2 Communication DNS Indicators
new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
new: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
new: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
new: Remote Access Tool - ScreenConnect Remote Execution
new: Remote Access Tool - ScreenConnect Server Web Shell Execution
new: Remote Access Tool - Simple Help Execution
new: ScreenConnect - SlashAndGrab Exploitation Indicators
new: ScreenConnect User Database Modification
new: ScreenConnect User Database Modification - Security
new: Suspicious File Download From IP Via Wget.EXE - Paths
new: User Added To Highly Privileged Group

Updated Rules

update: APT User Agent - Add UA used by RedCurl APT
update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
update: Remote Access Tool - ScreenConnect Installation Execution - Reduce level to medium
update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Update logic and reduce the level to medium
update: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting - Move the rule to Hunting
update: Remote Access Tool - ScreenConnect Remote Command Execution - Reduce level to low
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: Suspicious PowerShell IEX Execution Patterns - Enhance coverage by adding new "IEX" variant
update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Weak or Abused Passwords In CLI - Add additional password seen abused in the wild

Removed / Deprecated Rules

remove: CobaltStrike Malformed UAs in Malleable Profiles
remove: CobaltStrike Malleable (OCSP) Profile
remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
remove: Rundll32 JS RunHTMLApplication Pattern
remove: Suspicious Rundll32 Script in CommandLine
remove: iOS Implant URL Pattern

Acknowledgement

Thanks to @clebron23, @faisalusuf, @frack113, @joshnck, @MalGamy, @MATTANDERS0N, @nasbench, @qasimqlf, @RG9n for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2024-02-12

2 months ago

New Rules

new: Exploitation Indicator Of CVE-2022-42475
new: Interesting Service Enumeration Via Sc.EXE
new: Loaded Module Enumeration Via Tasklist.EXE
new: New Self Extracting Package Created Via IExpress.EXE
new: Potentially Suspicious Self Extraction Directive File Created
new: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
new: Self Extraction Directive File Created In Potentially Suspicious Location
new: System Disk And Volume Reconnaissance Via Wmic.EXE

Updated Rules

update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
update: HH.EXE Initiated HTTP Network Connection - Update list of ports
update: Hacktool Execution - Imphash - Add EventLogCrasher imphash
update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
update: Network Connection Initiated To Mega.nz - Update domains
update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
update: Potential Dead Drop Resolvers - Add abuse.ch
update: Potential Dead Drop Resolvers - Update domains and filters
update: RDP Sensitive Settings Changed - Add DisableRemoteDesktopAntiAlias and DisableSecuritySettings as seen used by DarkGate malware
update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL
update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
update: Suspicious File Download From File Sharing Websites - Add additional domains
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
update: Suspicious Remote AppX Package Locations - Add additional domains
update: Unusual File Download From File Sharing Websites - Add additional domains

Removed / Deprecated Rules

remove: Suspicious Non-Browser Network Communication With Reddit API

Fixed Rules

fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
fix: HackTool - EDRSilencer Execution - Filter Added - Fix error in logsource
fix: Outbound RDP Connections Over Non-Standard Tools - Add missing field name
fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
fix: Potential Dropper Script Execution Via WScript/CScript - Fix error in rule status
fix: Potential Fake Instance Of Hxtsr.EXE Executed - Use Image field in filter
fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
fix: SC.EXE Query Execution - Add keybase filter
fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers

Acknowledgement

Thanks to @douglasrose75, @frack113, @jstnk9, @nasbench, @Neo23x0, @omaramin17, @phantinuss, @prashanthpulisetti, @qasimqlf, @slincoln-aiq, @swachchhanda000, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2024-01-29

3 months ago

New Rules

new: CodePage Modification Via MODE.COM
new: CodePage Modification Via MODE.COM To Russian Language
new: HackTool - EDRSilencer Execution - Filter Added
new: HackTool - SharpMove Tool Execution
new: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
new: Unsigned DLL Loaded by RunDLL32/RegSvr32

Updated Rules

update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: Network Communication With Crypto Mining Pool - new domains from miningocean.org
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Potential Pikabot C2 Activity - Added "searchfilterhost.exe"
update: Potential Pikabot Discovery Activity - Added "SearchProtocolHost.exe" and "SearchFilterHost.exe"
update: Potential Pikabot Hollowing Activity - Added "searchfilterhost"
update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
update: Rundll32 Execution With Uncommon DLL Extension - Enhanced FP filters
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it

Removed / Deprecated Rules

remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData

Fixed Rules

fix: CobaltStrike Named Pipe Patterns - Add Websense named pipe filter
fix: EventLog Query Requests By Builtin Utilities - Typo in wmic process name
fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
fix: Service Installation in Suspicious Folder - Update FP filter
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic

Acknowledgement

Thanks to @CrimpSec, @frack113, @jstnk9, @nasbench, @phantinuss, @qasimqlf, @slincoln-aiq, @swachchhanda000, @t-pol, @tr0mb1r, @xiangchen96 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2024-01-15

3 months ago

New Rules

new: Binary Proxy Execution Via Dotnet-Trace.EXE
new: Forfiles.EXE Child Process Masquerading
new: GCP Access Policy Deleted
new: GCP Break-glass Container Workload Deployed
new: Google Workspace Application Access Levels Modified
new: HackTool - EDRSilencer Execution
new: HackTool - NoFilter Execution
new: PUA - PingCastle Execution
new: PUA - PingCastle Execution From Potentially Suspicious Parent
new: Peach Sandstorm APT Process Activity Indicators
new: Potential Peach Sandstorm APT C2 Communication Activity
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
new: Renamed PingCastle Binary Execution
new: System Control Panel Item Loaded From Uncommon Location
new: System Information Discovery Using System_Profiler
new: System Integrity Protection (SIP) Disabled
new: System Integrity Protection (SIP) Enumeration
new: Windows Filtering Platform Blocked Connection From EDR Agent Binary

Updated Rules

update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Hacktool Named File Stream Created - Added new Imphash values for EDRSandBlast, EDRSilencer and Forensia utilities.
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
update: Potential Persistence Via MyComputer Registry Keys - Remove SOFTWARE registry key anchor to increase coverage for WOW6432Node cases
update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
update: Remote PowerShell Session (PS Classic) - Reduce level to low
update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs

Removed / Deprecated Rules

remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.

Fixed Rules

fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools

Acknowledgement

Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2023-12-21

4 months ago

New Rules

new: Access To Potentially Sensitive Sysvol Files By Uncommon Application
new: Access To Sysvol Policies Share By Uncommon Process
new: Cloudflared Portable Execution
new: Cloudflared Quick Tunnel Execution
new: Cloudflared Tunnels Related DNS Requests
new: Communication To Uncommon Destination Ports
new: Compressed File Creation Via Tar.EXE
new: Compressed File Extraction Via Tar.EXE
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Potential Base64 Decoded From Images
new: Potentially Suspicious Desktop Background Change Using Reg.EXE
new: Potentially Suspicious Desktop Background Change Via Registry
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
new: Renamed Cloudflared.EXE Execution
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: System Information Discovery Via Wmic.EXE

Updated Rules

update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Account Created And Deleted By Non Approved Users - Add missing expand modifier
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: Authentication Occuring Outside Normal Business Hours - Add missing expand modifier
update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: HH.EXE Execution - Reduce level to low
update: Interactive Logon to Server Systems - Add missing expand modifier
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Malware User Agent
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential Pass the Hash Activity - Add missing expand modifier
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing expand modifier
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PowerShell Execution With Potential Decryption Capabilities
update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing expand modifier
update: Privilege Role Sign-In Outside Expected Controls - Add missing expand modifier
update: Privilege Role Sign-In Outside Of Normal Hours - Add missing expand modifier
update: Remote Registry Management Using Reg Utility - Add missing expand modifier
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

Removed / Deprecated Rules

remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: PowerShell Scripts Run by a Services
remove: Powershell File and Directory Discovery
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled

Fixed Rules

fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with \pipe\
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications
fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Unusual Parent Process For Cmd.EXE - Fix typo in wermgr process name
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: title: LSASS Access From Program In Potentially Suspicious Folder - Filter out Webex binary

Acknowledgement

Thanks to @AaronS97, @AdmU3, @Blackmore-Robert, @celalettin-turgut, @frack113, @GtUGtHGtNDtEUaE, @jstnk9, @mcdave2k1, @mostafa, @nasbench, @phantinuss, @qasimqlf, @ruppde, @slincoln-aiq, @ssnkhan, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2023-12-04

5 months ago

New Rules

new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
new: Chromium Browser Instance Executed With Custom Extension
new: Credential Dumping Activity By Python Based Tool
new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
new: HackTool - Generic Process Access
new: HackTool - WinPwn Execution
new: HackTool - WinPwn Execution - ScriptBlock
new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
new: Load Of RstrtMgr DLL From Suspicious Process
new: Load Of RstrtMgr.DLL By An Uncommon Process
new: New Netsh Helper DLL Registered From A Suspicious Location
new: Potential CVE-2023-46214 Exploitation Attempt
new: Potential Linux Process Code Injection Via DD Utility
new: Potential Persistence Via Netsh Helper DLL - Registry
new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
new: Suspicious Path In Keyboard Layout IME File Registry Value
new: Uncommon Extension In Keyboard Layout IME File Registry Value
new: Wusa.EXE Executed By Parent Process Located In Suspicious Location

Updated Rules

update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
update: Credential Dumping Attempt Via WerFault - Update title
update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
update: HackTool - CobaltStrike BOF Injection Pattern - Update title
update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
update: HackTool - winPEAS Execution - Add additional image names for winPEAS
update: LSASS Access From Potentially White-Listed Processes - Update title and description
update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
update: Potential Process Hollowing Activity - Update FP filter
update: Potential Shellcode Injection - Update title and enhance false positive filter
update: Potentially Suspicious GrantedAccess Flags On LSASS -
update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone

Removed / Deprecated Rules

remove: Credential Dumping Tools Accessing LSASS Memory

Fixed Rules

fix: File or Folder Permissions Modifications - FPs with partial paths
fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
fix: Potential NT API Stub Patching - Tune FP filter
fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter

Acknowledgement

Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2023-11-20

5 months ago

New Rules

new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
new: CVE-2023-46747 Exploitation Activity - Proxy
new: CVE-2023-46747 Exploitation Activity - Webserver
new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
new: EventLog Query Requests By Builtin Utilities
new: F5 BIG-IP iControl Rest API Command Execution - Proxy
new: F5 BIG-IP iControl Rest API Command Execution - Webserver
new: Insenstive Subfolder Search Via Findstr.EXE
new: Lace Tempest Cobalt Strike Download
new: Lace Tempest File Indicators
new: Lace Tempest Malware Loader Execution
new: Lace Tempest PowerShell Evidence Eraser
new: Lace Tempest PowerShell Launcher
new: Msxsl.EXE Execution
new: Network Connection Initiated To DevTunnels Domain
new: Network Connection Initiated To Visual Studio Code Tunnels Domain
new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote File Download Via Findstr.EXE
new: Remote XSL Execution Via Msxsl.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested

Updated Rules

update: APT User Agent - adding user agent associated with PlugX backdoor.
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: Communication To Ngrok Domains - Additional ngrok domains
update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.
update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely NoDispCPL and NoDispBackground
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: ISO Image Mounted - Update title and add new filter
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Office Application Startup - Office Test - Add missing contains modifier
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions.
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enhance false positives filters
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
update: smbexec.py Service Installation - align with new smbexec release

Removed / Deprecated Rules

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135

Fixed Rules

fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Execute Code with Pester.bat - Fix a non escaped wildcard ?
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs
fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.

Acknowledgement

Thanks to @AaronS97, @alwashali, @celalettin-turgut, @CrimpSec, @deFr0ggy, @frack113, @fukusuket, @longmdx, @lsoumille, @mezzofix, @michaelpeacock, @mtnmunuklu, @nasbench, @Neo23x0, @netgrain, @phantinuss, @qasimqlf, @rkmbaxed, @swachchhanda000, @ThureinOo, @vj-codes, @YamatoSecurity for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

r2023-11-06

5 months ago

New Rules

new: AWS S3 Bucket Versioning Disable
new: DNS Query To Devtunnels And VsCode Tunnels
new: Diamond Sleet APT DLL Sideloading Indicators
new: Diamond Sleet APT DNS Communication Indicators
new: Diamond Sleet APT File Creation Indicators
new: Diamond Sleet APT Process Activity Indicators
new: Diamond Sleet APT Scheduled Task Creation
new: Diamond Sleet APT Scheduled Task Creation - Registry
new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
new: Exploitation Indicators Of CVE-2023-20198
new: New Okta User Created
new: Okta 2023 Breach Indicator Of Compromise
new: Okta Admin Functions Access Through Proxy
new: Okta Password Health Report Query
new: Onyx Sleet APT File Creation Indicators
new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
new: Renamed Visual Studio Code Tunnel Execution
new: Renamed VsCode Code Tunnel Execution - File Indicator
new: Security Tools Keyword Lookup Via Findstr.EXE
new: Suspicious Unsigned Thor Scanner Execution
new: Visual Studio Code Tunnel Execution
new: Visual Studio Code Tunnel Remote File Creation
new: Visual Studio Code Tunnel Service Installation
new: Visual Studio Code Tunnel Shell Execution
new: VsCode Code Tunnel Execution File Indicator

Updated Rules

update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
update: Antivirus Relevant File Paths Alerts
update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
update: Delete Volume Shadow Copies Via WMI With PowerShell
update: Dump Ntds.dit To Suspicious Location
update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
update: HackTool - CrackMapExec - Fix logic
update: Linux HackTool Execution - Increase coverage by adding more tools
update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
update: MSI Installation From Suspicious Locations
update: Malware User Agent - Increase UAs coverage
update: Netcat The Powershell Version
update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
update: Okta New Admin Console Behaviours - Field notation
update: Port Forwarding Activity Via SSH.EXE - Increase coverage
update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title
update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title
update: Potential Okta Password in AlternateID Field - Field notation
update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding /q switch
update: Potentially Suspicious Cabinet File Expansion - Increase coverage
update: Potentially Suspicious Child Process Of VsCode
update: PowerShell Called from an Executable Version Mismatch
update: PowerShell Downgrade Attack - PowerShell
update: PowerShell Profile Modification - Reduce rule level to medium
update: Recon Command Output Piped To Findstr.EXE - Logic re-write
update: Registry Persistence via Service in Safe Mode - Fix typo in title
update: Remote PowerShell Session (PS Classic)
update: Renamed Powershell Under Powershell Channel
update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental
update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
update: Suspicious Non PowerShell WSMAN COM Provider
update: Suspicious PowerShell Download
update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
update: Tamper Windows Defender - PSClassic
update: Uncommon PowerShell Hosts
update: Use Get-NetTCPConnection
update: Weak or Abused Passwords In CLI - Increase coverage
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell

Fixed Rules

fix: Creation of an Executable by an Executable
fix: File or Folder Permissions Modifications
fix: Import New Module Via PowerShell CommandLine
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource
fix: Potential System DLL Sideloading From Non System Locations
fix: Process Terminated Via Taskkill
fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
fix: Suspicious Sysmon as Execution Parent - Typo and restructure
fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue

Acknowledgement

Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.