15 Jan 18:31

github-actions

3fb5392

Release r2024-01-15

New Rules

new: Binary Proxy Execution Via Dotnet-Trace.EXE
new: Forfiles.EXE Child Process Masquerading
new: GCP Access Policy Deleted
new: GCP Break-glass Container Workload Deployed
new: Google Workspace Application Access Levels Modified
new: HackTool - EDRSilencer Execution
new: HackTool - NoFilter Execution
new: PUA - PingCastle Execution
new: PUA - PingCastle Execution From Potentially Suspicious Parent
new: Peach Sandstorm APT Process Activity Indicators
new: Potential Peach Sandstorm APT C2 Communication Activity
new: Potential Persistence Via AppCompat RegisterAppRestart Layer
new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
new: Renamed PingCastle Binary Execution
new: System Control Panel Item Loaded From Uncommon Location
new: System Information Discovery Using System_Profiler
new: System Integrity Protection (SIP) Disabled
new: System Integrity Protection (SIP) Enumeration
new: Windows Filtering Platform Blocked Connection From EDR Agent Binary

Updated Rules

update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Hacktool Named File Stream Created - Added new Imphash values for EDRSandBlast, EDRSilencer and Forensia utilities.
update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
update: Potential Persistence Via MyComputer Registry Keys - Remove SOFTWARE registry key anchor to increase coverage for WOW6432Node cases
update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
update: Remote PowerShell Session (PS Classic) - Reduce level to low
update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs

Removed / Deprecated Rules

remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.

Fixed Rules

fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools

Acknowledgement

Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

$@frack113$

MrSeccubus, Neo23x0, and 16 other contributors

Assets 7

21 Dec 20:12

github-actions

r2023-12-21

e052677

Release r2023-12-21

New Rules

new: Access To Potentially Sensitive Sysvol Files By Uncommon Application
new: Access To Sysvol Policies Share By Uncommon Process
new: Cloudflared Portable Execution
new: Cloudflared Quick Tunnel Execution
new: Cloudflared Tunnels Related DNS Requests
new: Communication To Uncommon Destination Ports
new: Compressed File Creation Via Tar.EXE
new: Compressed File Extraction Via Tar.EXE
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Potential Base64 Decoded From Images
new: Potentially Suspicious Desktop Background Change Using Reg.EXE
new: Potentially Suspicious Desktop Background Change Via Registry
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
new: Renamed Cloudflared.EXE Execution
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: System Information Discovery Via Wmic.EXE

Updated Rules

update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Account Created And Deleted By Non Approved Users - Add missing expand modifier
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: Authentication Occuring Outside Normal Business Hours - Add missing expand modifier
update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: HH.EXE Execution - Reduce level to low
update: Interactive Logon to Server Systems - Add missing expand modifier
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Malware User Agent
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential Pass the Hash Activity - Add missing expand modifier
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing expand modifier
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PowerShell Execution With Potential Decryption Capabilities
update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing expand modifier
update: Privilege Role Sign-In Outside Expected Controls - Add missing expand modifier
update: Privilege Role Sign-In Outside Of Normal Hours - Add missing expand modifier
update: Remote Registry Management Using Reg Utility - Add missing expand modifier
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

Removed / Deprecated Rules

remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: PowerShell Scripts Run by a Services
remove: Powershell File and Directory Discovery
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled

Fixed Rules

fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with \pipe\
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications
fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Unusual Parent Process For Cm...

$@frack113$

mostafa, jstnk9, and 16 other contributors

Assets 7

04 Dec 16:59

github-actions

r2023-12-04

f07e2b3

Release r2023-12-04

New Rules

new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
new: Chromium Browser Instance Executed With Custom Extension
new: Credential Dumping Activity By Python Based Tool
new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
new: HackTool - Generic Process Access
new: HackTool - WinPwn Execution
new: HackTool - WinPwn Execution - ScriptBlock
new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
new: Load Of RstrtMgr DLL From Suspicious Process
new: Load Of RstrtMgr.DLL By An Uncommon Process
new: New Netsh Helper DLL Registered From A Suspicious Location
new: Potential CVE-2023-46214 Exploitation Attempt
new: Potential Linux Process Code Injection Via DD Utility
new: Potential Persistence Via Netsh Helper DLL - Registry
new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
new: Suspicious Path In Keyboard Layout IME File Registry Value
new: Uncommon Extension In Keyboard Layout IME File Registry Value
new: Wusa.EXE Executed By Parent Process Located In Suspicious Location

Updated Rules

update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
update: Credential Dumping Attempt Via WerFault - Update title
update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
update: HackTool - CobaltStrike BOF Injection Pattern - Update title
update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
update: HackTool - winPEAS Execution - Add additional image names for winPEAS
update: LSASS Access From Potentially White-Listed Processes - Update title and description
update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
update: Potential Process Hollowing Activity - Update FP filter
update: Potential Shellcode Injection - Update title and enhance false positive filter
update: Potentially Suspicious GrantedAccess Flags On LSASS -
update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone

Removed / Deprecated Rules

remove: Credential Dumping Tools Accessing LSASS Memory

Fixed Rules

fix: File or Folder Permissions Modifications - FPs with partial paths
fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
fix: Potential NT API Stub Patching - Tune FP filter
fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter

Acknowledgement

Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

$@frack113$

himynamesdave, nasbench, and 14 other contributors

Assets 7

20 Nov 17:02

github-actions

r2023-11-20

01730d0

Release r2023-11-20

New Rules

new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
new: CVE-2023-46747 Exploitation Activity - Proxy
new: CVE-2023-46747 Exploitation Activity - Webserver
new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
new: EventLog Query Requests By Builtin Utilities
new: F5 BIG-IP iControl Rest API Command Execution - Proxy
new: F5 BIG-IP iControl Rest API Command Execution - Webserver
new: Insenstive Subfolder Search Via Findstr.EXE
new: Lace Tempest Cobalt Strike Download
new: Lace Tempest File Indicators
new: Lace Tempest Malware Loader Execution
new: Lace Tempest PowerShell Evidence Eraser
new: Lace Tempest PowerShell Launcher
new: Msxsl.EXE Execution
new: Network Connection Initiated To DevTunnels Domain
new: Network Connection Initiated To Visual Studio Code Tunnels Domain
new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote File Download Via Findstr.EXE
new: Remote XSL Execution Via Msxsl.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested

Updated Rules

update: APT User Agent - adding user agent associated with PlugX backdoor.
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: Communication To Ngrok Domains - Additional ngrok domains
update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.
update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely NoDispCPL and NoDispBackground
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: ISO Image Mounted - Update title and add new filter
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Office Application Startup - Office Test - Add missing contains modifier
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions.
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enhance false positives filters
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
update: smbexec.py Service Installation - align with new smbexec release

Removed / Deprecated Rules

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135

Fixed Rules

fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Execute Code with Pester.bat - Fix a non escaped wildcard ?
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs
fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.

Acknowledgement

Thanks to @AaronS97, @alwashali, @celalettin-turgut, @CrimpSec, @deFr0ggy, @frack113, @fukusuket, @longmdx, @lsoumille, @mezzofix, @michaelpeacock, @mtnmunuklu, @nasbench, @Neo23x0, @netgrain, @phantinuss, @qasimqlf, @rkmbaxed, @swachchhanda000, @ThureinOo, @vj-codes, @YamatoSecurity for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

Neo23x0, michaelpeacock, and 20 other contributors

Assets 7

06 Nov 16:30

github-actions

r2023-11-06

e873392

Release r2023-11-06

New Rules

new: AWS S3 Bucket Versioning Disable
new: DNS Query To Devtunnels And VsCode Tunnels
new: Diamond Sleet APT DLL Sideloading Indicators
new: Diamond Sleet APT DNS Communication Indicators
new: Diamond Sleet APT File Creation Indicators
new: Diamond Sleet APT Process Activity Indicators
new: Diamond Sleet APT Scheduled Task Creation
new: Diamond Sleet APT Scheduled Task Creation - Registry
new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
new: Exploitation Indicators Of CVE-2023-20198
new: New Okta User Created
new: Okta 2023 Breach Indicator Of Compromise
new: Okta Admin Functions Access Through Proxy
new: Okta Password Health Report Query
new: Onyx Sleet APT File Creation Indicators
new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
new: Renamed Visual Studio Code Tunnel Execution
new: Renamed VsCode Code Tunnel Execution - File Indicator
new: Security Tools Keyword Lookup Via Findstr.EXE
new: Suspicious Unsigned Thor Scanner Execution
new: Visual Studio Code Tunnel Execution
new: Visual Studio Code Tunnel Remote File Creation
new: Visual Studio Code Tunnel Service Installation
new: Visual Studio Code Tunnel Shell Execution
new: VsCode Code Tunnel Execution File Indicator

Updated Rules

update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
update: Antivirus Relevant File Paths Alerts
update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
update: Delete Volume Shadow Copies Via WMI With PowerShell
update: Dump Ntds.dit To Suspicious Location
update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
update: HackTool - CrackMapExec - Fix logic
update: Linux HackTool Execution - Increase coverage by adding more tools
update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
update: MSI Installation From Suspicious Locations
update: Malware User Agent - Increase UAs coverage
update: Netcat The Powershell Version
update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
update: Okta New Admin Console Behaviours - Field notation
update: Port Forwarding Activity Via SSH.EXE - Increase coverage
update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title
update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title
update: Potential Okta Password in AlternateID Field - Field notation
update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding /q switch
update: Potentially Suspicious Cabinet File Expansion - Increase coverage
update: Potentially Suspicious Child Process Of VsCode
update: PowerShell Called from an Executable Version Mismatch
update: PowerShell Downgrade Attack - PowerShell
update: PowerShell Profile Modification - Reduce rule level to medium
update: Recon Command Output Piped To Findstr.EXE - Logic re-write
update: Registry Persistence via Service in Safe Mode - Fix typo in title
update: Remote PowerShell Session (PS Classic)
update: Renamed Powershell Under Powershell Channel
update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental
update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
update: Suspicious Non PowerShell WSMAN COM Provider
update: Suspicious PowerShell Download
update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
update: Tamper Windows Defender - PSClassic
update: Uncommon PowerShell Hosts
update: Use Get-NetTCPConnection
update: Weak or Abused Passwords In CLI - Increase coverage
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell

Fixed Rules

fix: Creation of an Executable by an Executable
fix: File or Folder Permissions Modifications
fix: Import New Module Via PowerShell CommandLine
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource
fix: Potential System DLL Sideloading From Non System Locations
fix: Process Terminated Via Taskkill
fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
fix: Suspicious Sysmon as Execution Parent - Typo and restructure
fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue

Acknowledgement

Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

$@frack113$

faisalusuf, sifex, and 14 other contributors

Assets 7

23 Oct 09:54

github-actions

r2023-10-23

4852ee4

Release r2023-10-23

New Rules

new: BlueSky Ransomware Artefacts
new: Certificate Use With No Strong Mapping
new: DarkGate - Autoit3.EXE Execution Parameters
new: DarkGate - Autoit3.EXE File Creation By Uncommon Process
new: File Download From IP Based URL Via CertOC.EXE
new: File Download From IP URL Via Curl.EXE
new: HackTool - CoercedPotato Execution
new: HackTool - CoercedPotato Named Pipe Creation
new: LSASS Process Memory Dump Creation Via Taskmgr.EXE
new: Lazarus APT DLL Sideloading Activity
new: MSSQL Server Failed Logon
new: MSSQL Server Failed Logon From External Network
new: Mail Forwarding/Redirecting Activity In O365
new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
new: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy
new: Potential Information Discolosure CVE-2023-43261 Exploitation - Web
new: PowerShell Script Execution Policy Enabled
new: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
new: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

Updated Rules

update: ADSI-Cache File Creation By Uncommon Tool
update: Alternate PowerShell Hosts Pipe
update: Arbitrary File Download Via GfxDownloadWrapper.EXE
update: DarkGate - User Created Via Net.EXE
update: File Download via CertOC.EXE
update: Files With System Process Name In Unsuspected Locations
update: PSScriptPolicyTest Creation By Uncommon Process
update: Potential PowerShell Execution Policy Tampering
update: Potential Webshell Creation On Static Website - Increase coverage with new extensions.
update: Potentially Suspicious Office Document Executed From Trusted Location
update: PowerShell Module File Created By Non-PowerShell Process
update: PowerShell Profile Modification
update: Remote Thread Creation By Uncommon Source Image
update: Remote Thread Creation In Uncommon Target Image
update: Renamed CURL.EXE Execution - Extended filter
update: Suspicious File Download From IP Via Curl.EXE
update: Suspicious LNK Double Extension File Created

Fixed Rules

fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Control Panel Items - FP with command line observed from taskhost.exe
fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
fix: Direct Syscall of NtOpenProcess - falsepositives meta data
fix: Execution of Suspicious File Type Extension - FP with OpenOffice
fix: Google Workspace Application Removed - Update logsource product field to gcp
fix: Google Workspace Granted Domain API Access - Update logsource product field to gcp
fix: Google Workspace MFA Disabled - Update logsource product field to gcp
fix: Google Workspace Role Modified or Deleted - Update logsource product field to gcp
fix: Google Workspace Role Privilege Deleted - Update logsource product field to gcp
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to gcp
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
fix: Suspicious Elevated System Shell - FP with Avira update utility
fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception
fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception

Acknowledgement

Thanks to @frack113, @netgrain, @cyb3rjy0t, @greg-workspace, @mbabinski, @nasbench, @Neo23x0, @phantinuss, @swachchhanda000, @ThureinOo, @br4dy5 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

$@frack113$

Neo23x0, nasbench, and 9 other contributors

Assets 7

09 Oct 10:04

github-actions

r2023-10-09

889aae6

Release r2023-10-09

New Rules

new: ADS Zone.Identifier Deleted
new: ADS Zone.Identifier Deleted By Uncommon Application
new: AWS Identity Center Identity Provider Change
new: Access To .Reg/.Hive Files By Uncommon Application
new: Activity From Anonymous IP Address
new: AddinUtil.EXE Execution From Uncommon Directory
new: Anomalous User Activity
new: Application Terminated Via Wmic.EXE
new: Atypical Travel
new: Azure AD Account Credential Leaked
new: Azure AD Threat Intelligence
new: Browser Execution In Headless Mode
new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
new: CVE-2023-40477 Potential Exploitation - .REV File Creation
new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
new: Chromium Browser Headless Execution To Mockbin Like Site
new: DMP/HDMP File Creation
new: DarkGate User Created Via Net.EXE
new: Disabling Multi Factor Authenication
new: Diskshadow Child Process Spawned
new: Diskshadow Script Mode - Execution From Potential Suspicious Location
new: Diskshadow Script Mode - Uncommon Script Extension Execution
new: ESXi Account Creation Via ESXCLI
new: ESXi Admin Permission Assigned To Account Via ESXCLI
new: ESXi Network Configuration Discovery Via ESXCLI
new: ESXi Storage Information Discovery Via ESXCLI
new: ESXi Syslog Configuration Change Via ESXCLI
new: ESXi System Information Discovery Via ESXCLI
new: ESXi VM Kill Via ESXCLI
new: ESXi VM List Discovery Via ESXCLI
new: ESXi VSAN Information Discovery Via ESXCLI
new: Hypervisor Enforced Code Integrity Disabled
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
new: Impossible Travel
new: Invalid PIM License
new: LOL-Binary Copied From System Directory
new: LSASS Dump Keyword In CommandLine
new: Malicious Driver Load
new: Malicious Driver Load By Name
new: Malicious IP Address Sign-In Failure Rate
new: Malicious IP Address Sign-In Suspicious
new: Network Connection Initiated By AddinUtil.EXE
new: New Country
new: New Federated Domain Added
new: Okta Identity Provider Created
new: Okta New Admin Console Behaviours
new: Okta Suspicious Activity Reported by End-user
new: Okta User Session Start Via An Anonymising Proxy Service
new: Old TLS1.0/TLS1.1 Protocol Version Enabled
new: Password Spray Activity
new: Potentially Suspicious Child Process Of DiskShadow.EXE
new: Potentially Suspicious Child Process Of WinRAR.EXE
new: Potentially Suspicious DMP/HDMP File Creation
new: Potentially Suspicious Electron Application CommandLine
new: Primary Refresh Token Access Attempt
new: Remote Access Tool - ScreenConnect Command Execution
new: Remote Access Tool - ScreenConnect File Transfer
new: Remote Access Tool - ScreenConnect Remote Command Execution
new: Remote Access Tool - ScreenConnect Temporary File
new: Remote DLL Load Via Rundll32.EXE
new: Renamed CURL.EXE Execution
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Roles Assigned Outside PIM
new: SAML Token Issuer Anomaly
new: Sign-In From Malware Infected IP
new: Stale Accounts In A Privileged Role
new: Suspicious AddinUtil.EXE CommandLine Execution
new: Suspicious Browser Activity
new: Suspicious Inbox Forwarding Identity Protection
new: Suspicious Inbox Manipulation Rules
new: Too Many Global Admins
new: Uncommon AddinUtil.EXE CommandLine Execution
new: Uncommon Child Process Of AddinUtil.EXE
new: Unfamiliar Sign-In Properties
new: VMMap Signed Dbghelp.DLL Potential Sideloading
new: Vulnerable Driver Load
new: Vulnerable Driver Load By Name

Updated Rules

update: 7Zip Compressing Dump Files - Increase coverage
update: 7Zip Compressing Dump Files - Reduce level
update: Access To Browser Credential Files By Uncommon Application
update: Access To Windows Credential History File By Uncommon Application
update: Access To Windows DPAPI Master Keys By Uncommon Application
update: Added some bypass methods used by SQLI Injectors.
update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to medium
update: COM Hijack via Sdclt - Fix Logic
update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
update: Creation of an Executable by an Executable - Fix FP
update: Credential Manager Access By Uncommon Application
update: DLL Load By System Process From Suspicious Locations - Reduce level to medium
update: DNS Query Request By Regsvr32.EXE - Reduce level to medium
update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to medium
update: DNS Query To MEGA Hosting Website - Reduce level to low and update metadata
update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to low
update: DNS Query To Ufile.io - Update title and reduce level to low
update: DNS Query Tor .Onion Address - Sysmon - Update title
update: DNS Server Discovery Via LDAP Query - Reduce level to low and update FP filters
update: Detects path traversal exploitation attempts - Increase coverage
update: Detects sql injection exploitation attempts - Increase coverage
update: Diskshadow Script Mode Execution
update: DriverQuery.EXE Execution - Increase coverage
update: File Download From Browser Process Via Inline Link
update: Fsutil Suspicious Invocation - add "setZeroData" coverage
update: Greedy File Deletion Using Del - Increase coverage
update: LOLBIN Execution From Abnormal Drive
update: LSASS Memory Dump File Creation - Deprecated
update: LSASS Process Memory Dump Files - Add PPLBlade default dump file indicator
update: Leviathan Registry Key Activity - Fix logic
update: Linux Network Service Scanning - Auditd - Update coverage to add ncat and nc.openbsd
update: Network Connection Initiated By Regsvr32.EXE - Reduce level to medium and metadata update
update: New Federated Domain Added - Exchange
update: New Firewall Rule Added In Windows Firewall Exception List - update logic
update: Non Interactive PowerShell Process Spawned - Increase coverage
update: Ntdsutil Abuse - Update ATT&CK tags
update: OceanLotus Registry Activity - Fix Logic
update: Office Application Startup - Office Test - Fix Logic
update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
update: Potential Browser Data Stealing - Increase coverage with more browsers
update: Potential Dead Drop Resolvers - Increase coverage with new domains
update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
update: Potential Process Hollowing Activity - Update FP filters
update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to medium
update: Potentially Suspicious Compression Tool Parameters
update: Potentially Suspicious Event Viewer Child Process - Update metadata
update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
update: PowerShell Initiated Network Connection - Update description
update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to medium
update: Python Image Load By Non-Python Process - Update description and title
update: Python Initiated Connection - Update FP filter
update: Qakbot Uninstaller Execution - add new hashes
update: Remote Thread Creation By Uncommon Source Image - Update FP filter
update: Renamed AutoIt Execution - Increase coverage
update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
update: Suspicious Child Process Of Manage Engine ServiceDesk
update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
update: Suspicious Electron Application Child Processes - Increase coverage
update: Suspicious Scripting in a WMI Consumer - update logic
update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
update: Sysinternals Tools AppX Versions Execution - Reduce level to low
update: Sysmon Blocked Executable - Update logsource
update: UAC Bypass via Event Viewer - Fix Logic
update: UNC2452 Process Creation Patterns - Fix logic
update: Usage Of Malicious POORTRY Signed Driver - Deprecated
update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
update: Vulnerable Dell BIOS Update Driver Load - Deprecated
update: Vulnerable Driver Load By Name - Deprecated
update: Vulnerable GIGABYTE Driver Load - Deprecated
update: Vulnerable HW Driver Load - Deprecated
update: Vulnerable Lenovo Driver Load - Deprecated
update: WebDav Client Execution Via Rundll32.EXE
update: Windows Update Error - Reduce level to informational and status to stable
update: Winrar Compressing Dump Files - Increase Coverage
update: Winrar Execution in Non-Standard Folder
update: Wscript Execution from Non C Drive - ...