github SigmaHQ/sigma r2023-10-23
Release r2023-10-23

latest releases: r2024-11-10, r2024-09-02, r2024-07-17...
13 months ago

New Rules

  • new: BlueSky Ransomware Artefacts
  • new: Certificate Use With No Strong Mapping
  • new: DarkGate - Autoit3.EXE Execution Parameters
  • new: DarkGate - Autoit3.EXE File Creation By Uncommon Process
  • new: File Download From IP Based URL Via CertOC.EXE
  • new: File Download From IP URL Via Curl.EXE
  • new: HackTool - CoercedPotato Execution
  • new: HackTool - CoercedPotato Named Pipe Creation
  • new: LSASS Process Memory Dump Creation Via Taskmgr.EXE
  • new: Lazarus APT DLL Sideloading Activity
  • new: MSSQL Server Failed Logon
  • new: MSSQL Server Failed Logon From External Network
  • new: Mail Forwarding/Redirecting Activity In O365
  • new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
  • new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
  • new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
  • new: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy
  • new: Potential Information Discolosure CVE-2023-43261 Exploitation - Web
  • new: PowerShell Script Execution Policy Enabled
  • new: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
  • new: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

Updated Rules

  • update: ADSI-Cache File Creation By Uncommon Tool
  • update: Alternate PowerShell Hosts Pipe
  • update: Arbitrary File Download Via GfxDownloadWrapper.EXE
  • update: DarkGate - User Created Via Net.EXE
  • update: File Download via CertOC.EXE
  • update: Files With System Process Name In Unsuspected Locations
  • update: PSScriptPolicyTest Creation By Uncommon Process
  • update: Potential PowerShell Execution Policy Tampering
  • update: Potential Webshell Creation On Static Website - Increase coverage with new extensions.
  • update: Potentially Suspicious Office Document Executed From Trusted Location
  • update: PowerShell Module File Created By Non-PowerShell Process
  • update: PowerShell Profile Modification
  • update: Remote Thread Creation By Uncommon Source Image
  • update: Remote Thread Creation In Uncommon Target Image
  • update: Renamed CURL.EXE Execution - Extended filter
  • update: Suspicious File Download From IP Via Curl.EXE
  • update: Suspicious LNK Double Extension File Created

Fixed Rules

  • fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
  • fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
  • fix: Control Panel Items - FP with command line observed from taskhost.exe
  • fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
  • fix: Direct Syscall of NtOpenProcess - falsepositives meta data
  • fix: Execution of Suspicious File Type Extension - FP with OpenOffice
  • fix: Google Workspace Application Removed - Update logsource product field to gcp
  • fix: Google Workspace Granted Domain API Access - Update logsource product field to gcp
  • fix: Google Workspace MFA Disabled - Update logsource product field to gcp
  • fix: Google Workspace Role Modified or Deleted - Update logsource product field to gcp
  • fix: Google Workspace Role Privilege Deleted - Update logsource product field to gcp
  • fix: Google Workspace User Granted Admin Privileges - Update logsource product field to gcp
  • fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
  • fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
  • fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
  • fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
  • fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
  • fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
  • fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
  • fix: Suspicious Elevated System Shell - FP with Avira update utility
  • fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
  • fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
  • fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception
  • fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception

Acknowledgement

Thanks to @frack113, @netgrain, @cyb3rjy0t, @greg-workspace, @mbabinski, @nasbench, @Neo23x0, @phantinuss, @swachchhanda000, @ThureinOo, @br4dy5 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Don't miss a new sigma release

NewReleases is sending notifications on new releases.