github SigmaHQ/sigma r2023-10-09
Release r2023-10-09
on GitHub

latest releases: r2024-09-02, r2024-07-17, r2024-05-13...
11 months ago

New Rules

  • new: ADS Zone.Identifier Deleted
  • new: ADS Zone.Identifier Deleted By Uncommon Application
  • new: AWS Identity Center Identity Provider Change
  • new: Access To .Reg/.Hive Files By Uncommon Application
  • new: Activity From Anonymous IP Address
  • new: AddinUtil.EXE Execution From Uncommon Directory
  • new: Anomalous User Activity
  • new: Application Terminated Via Wmic.EXE
  • new: Atypical Travel
  • new: Azure AD Account Credential Leaked
  • new: Azure AD Threat Intelligence
  • new: Browser Execution In Headless Mode
  • new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
  • new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
  • new: CVE-2023-40477 Potential Exploitation - .REV File Creation
  • new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
  • new: Chromium Browser Headless Execution To Mockbin Like Site
  • new: DMP/HDMP File Creation
  • new: DarkGate User Created Via Net.EXE
  • new: Disabling Multi Factor Authenication
  • new: Diskshadow Child Process Spawned
  • new: Diskshadow Script Mode - Execution From Potential Suspicious Location
  • new: Diskshadow Script Mode - Uncommon Script Extension Execution
  • new: ESXi Account Creation Via ESXCLI
  • new: ESXi Admin Permission Assigned To Account Via ESXCLI
  • new: ESXi Network Configuration Discovery Via ESXCLI
  • new: ESXi Storage Information Discovery Via ESXCLI
  • new: ESXi Syslog Configuration Change Via ESXCLI
  • new: ESXi System Information Discovery Via ESXCLI
  • new: ESXi VM Kill Via ESXCLI
  • new: ESXi VM List Discovery Via ESXCLI
  • new: ESXi VSAN Information Discovery Via ESXCLI
  • new: Hypervisor Enforced Code Integrity Disabled
  • new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
  • new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
  • new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
  • new: Impossible Travel
  • new: Invalid PIM License
  • new: LOL-Binary Copied From System Directory
  • new: LSASS Dump Keyword In CommandLine
  • new: Malicious Driver Load
  • new: Malicious Driver Load By Name
  • new: Malicious IP Address Sign-In Failure Rate
  • new: Malicious IP Address Sign-In Suspicious
  • new: Network Connection Initiated By AddinUtil.EXE
  • new: New Country
  • new: New Federated Domain Added
  • new: Okta Identity Provider Created
  • new: Okta New Admin Console Behaviours
  • new: Okta Suspicious Activity Reported by End-user
  • new: Okta User Session Start Via An Anonymising Proxy Service
  • new: Old TLS1.0/TLS1.1 Protocol Version Enabled
  • new: Password Spray Activity
  • new: Potentially Suspicious Child Process Of DiskShadow.EXE
  • new: Potentially Suspicious Child Process Of WinRAR.EXE
  • new: Potentially Suspicious DMP/HDMP File Creation
  • new: Potentially Suspicious Electron Application CommandLine
  • new: Primary Refresh Token Access Attempt
  • new: Remote Access Tool - ScreenConnect Command Execution
  • new: Remote Access Tool - ScreenConnect File Transfer
  • new: Remote Access Tool - ScreenConnect Remote Command Execution
  • new: Remote Access Tool - ScreenConnect Temporary File
  • new: Remote DLL Load Via Rundll32.EXE
  • new: Renamed CURL.EXE Execution
  • new: Roles Activated Too Frequently
  • new: Roles Activation Doesn't Require MFA
  • new: Roles Are Not Being Used
  • new: Roles Assigned Outside PIM
  • new: SAML Token Issuer Anomaly
  • new: Sign-In From Malware Infected IP
  • new: Stale Accounts In A Privileged Role
  • new: Suspicious AddinUtil.EXE CommandLine Execution
  • new: Suspicious Browser Activity
  • new: Suspicious Inbox Forwarding Identity Protection
  • new: Suspicious Inbox Manipulation Rules
  • new: Too Many Global Admins
  • new: Uncommon AddinUtil.EXE CommandLine Execution
  • new: Uncommon Child Process Of AddinUtil.EXE
  • new: Unfamiliar Sign-In Properties
  • new: VMMap Signed Dbghelp.DLL Potential Sideloading
  • new: Vulnerable Driver Load
  • new: Vulnerable Driver Load By Name

Updated Rules

  • update: 7Zip Compressing Dump Files - Increase coverage
  • update: 7Zip Compressing Dump Files - Reduce level
  • update: Access To Browser Credential Files By Uncommon Application
  • update: Access To Windows Credential History File By Uncommon Application
  • update: Access To Windows DPAPI Master Keys By Uncommon Application
  • update: Added some bypass methods used by SQLI Injectors.
  • update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to medium
  • update: COM Hijack via Sdclt - Fix Logic
  • update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
  • update: Creation of an Executable by an Executable - Fix FP
  • update: Credential Manager Access By Uncommon Application
  • update: DLL Load By System Process From Suspicious Locations - Reduce level to medium
  • update: DNS Query Request By Regsvr32.EXE - Reduce level to medium
  • update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to medium
  • update: DNS Query To MEGA Hosting Website - Reduce level to low and update metadata
  • update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
  • update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to low
  • update: DNS Query To Ufile.io - Update title and reduce level to low
  • update: DNS Query Tor .Onion Address - Sysmon - Update title
  • update: DNS Server Discovery Via LDAP Query - Reduce level to low and update FP filters
  • update: Detects path traversal exploitation attempts - Increase coverage
  • update: Detects sql injection exploitation attempts - Increase coverage
  • update: Diskshadow Script Mode Execution
  • update: DriverQuery.EXE Execution - Increase coverage
  • update: File Download From Browser Process Via Inline Link
  • update: Fsutil Suspicious Invocation - add "setZeroData" coverage
  • update: Greedy File Deletion Using Del - Increase coverage
  • update: LOLBIN Execution From Abnormal Drive
  • update: LSASS Memory Dump File Creation - Deprecated
  • update: LSASS Process Memory Dump Files - Add PPLBlade default dump file indicator
  • update: Leviathan Registry Key Activity - Fix logic
  • update: Linux Network Service Scanning - Auditd - Update coverage to add ncat and nc.openbsd
  • update: Network Connection Initiated By Regsvr32.EXE - Reduce level to medium and metadata update
  • update: New Federated Domain Added - Exchange
  • update: New Firewall Rule Added In Windows Firewall Exception List - update logic
  • update: Non Interactive PowerShell Process Spawned - Increase coverage
  • update: Ntdsutil Abuse - Update ATT&CK tags
  • update: OceanLotus Registry Activity - Fix Logic
  • update: Office Application Startup - Office Test - Fix Logic
  • update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
  • update: Potential Browser Data Stealing - Increase coverage with more browsers
  • update: Potential Dead Drop Resolvers - Increase coverage with new domains
  • update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
  • update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
  • update: Potential Process Hollowing Activity - Update FP filters
  • update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
  • update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to medium
  • update: Potentially Suspicious Compression Tool Parameters
  • update: Potentially Suspicious Event Viewer Child Process - Update metadata
  • update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
  • update: PowerShell Initiated Network Connection - Update description
  • update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
  • update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to medium
  • update: Python Image Load By Non-Python Process - Update description and title
  • update: Python Initiated Connection - Update FP filter
  • update: Qakbot Uninstaller Execution - add new hashes
  • update: Remote Thread Creation By Uncommon Source Image - Update FP filter
  • update: Renamed AutoIt Execution - Increase coverage
  • update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
  • update: Suspicious Child Process Of Manage Engine ServiceDesk
  • update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
  • update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
  • update: Suspicious Electron Application Child Processes - Increase coverage
  • update: Suspicious Scripting in a WMI Consumer - update logic
  • update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
  • update: Sysinternals Tools AppX Versions Execution - Reduce level to low
  • update: Sysmon Blocked Executable - Update logsource
  • update: UAC Bypass via Event Viewer - Fix Logic
  • update: UNC2452 Process Creation Patterns - Fix logic
  • update: Usage Of Malicious POORTRY Signed Driver - Deprecated
  • update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
  • update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
  • update: Vulnerable Dell BIOS Update Driver Load - Deprecated
  • update: Vulnerable Driver Load By Name - Deprecated
  • update: Vulnerable GIGABYTE Driver Load - Deprecated
  • update: Vulnerable HW Driver Load - Deprecated
  • update: Vulnerable Lenovo Driver Load - Deprecated
  • update: WebDav Client Execution Via Rundll32.EXE
  • update: Windows Update Error - Reduce level to informational and status to stable
  • update: Winrar Compressing Dump Files - Increase Coverage
  • update: Winrar Execution in Non-Standard Folder
  • update: Wscript Execution from Non C Drive - Deprecated

Fixed Rules

  • fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic
  • fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore
  • fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
  • fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
  • fix: Potential Dead Drop Resolvers - FP with chrome/FF being installed in appdata
  • fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
  • fix: Search-ms and WebDAV Suspicious Indicators in URL - use explicit CIDR notation for loopback
  • fix: Suspicious Elevated System Shell
  • fix: Suspicious Elevated System Shell - False positives during updates presumably
  • fix: Suspicious Elevated System Shell - False positives from CompatTelRunner
  • fix: Suspicious Elevated System Shell - update FP for improved script that causes a FP
  • fix: Suspicious Epmap Connection - FP with unknown process
  • fix: Suspicious Epmap Connection - Fix false positives found with null and empty values
  • fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
  • fix: Suspicious Sysmon as Execution Parent - Add null value edge case

Acknowledgement

Thanks to @alwashali, @cyb3rjy0t, @frack113, @gleeiamglo, @GtUGtHGtNDtEUaE, @kelnage, @kidrek, @MarkMorow, @Mladia, @nasbench, @Neo23x0, @phantinuss, @redteampanda-ng, @RobertSchull, @sanjay900, @securepeacock, @SILJAEUROPA, @ThureinOo, @tjgeorgen, @Uglybeard, @veramine, @wagga40, @WTFender for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

Check out latest releases or
releases around SigmaHQ/sigma r2023-10-09

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications