github SigmaHQ/sigma r2023-11-06
Release r2023-11-06

latest releases: r2024-11-10, r2024-09-02, r2024-07-17...
12 months ago

New Rules

  • new: AWS S3 Bucket Versioning Disable
  • new: DNS Query To Devtunnels And VsCode Tunnels
  • new: Diamond Sleet APT DLL Sideloading Indicators
  • new: Diamond Sleet APT DNS Communication Indicators
  • new: Diamond Sleet APT File Creation Indicators
  • new: Diamond Sleet APT Process Activity Indicators
  • new: Diamond Sleet APT Scheduled Task Creation
  • new: Diamond Sleet APT Scheduled Task Creation - Registry
  • new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
  • new: Exploitation Indicators Of CVE-2023-20198
  • new: New Okta User Created
  • new: Okta 2023 Breach Indicator Of Compromise
  • new: Okta Admin Functions Access Through Proxy
  • new: Okta Password Health Report Query
  • new: Onyx Sleet APT File Creation Indicators
  • new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
  • new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
  • new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
  • new: Renamed Visual Studio Code Tunnel Execution
  • new: Renamed VsCode Code Tunnel Execution - File Indicator
  • new: Security Tools Keyword Lookup Via Findstr.EXE
  • new: Suspicious Unsigned Thor Scanner Execution
  • new: Visual Studio Code Tunnel Execution
  • new: Visual Studio Code Tunnel Remote File Creation
  • new: Visual Studio Code Tunnel Service Installation
  • new: Visual Studio Code Tunnel Shell Execution
  • new: VsCode Code Tunnel Execution File Indicator

Updated Rules

  • update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  • update: Antivirus Relevant File Paths Alerts
  • update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
  • update: Delete Volume Shadow Copies Via WMI With PowerShell
  • update: Dump Ntds.dit To Suspicious Location
  • update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
  • update: HackTool - CrackMapExec - Fix logic
  • update: Linux HackTool Execution - Increase coverage by adding more tools
  • update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
  • update: MSI Installation From Suspicious Locations
  • update: Malware User Agent - Increase UAs coverage
  • update: Netcat The Powershell Version
  • update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
  • update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
  • update: Okta New Admin Console Behaviours - Field notation
  • update: Port Forwarding Activity Via SSH.EXE - Increase coverage
  • update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title
  • update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title
  • update: Potential Okta Password in AlternateID Field - Field notation
  • update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding /q switch
  • update: Potentially Suspicious Cabinet File Expansion - Increase coverage
  • update: Potentially Suspicious Child Process Of VsCode
  • update: PowerShell Called from an Executable Version Mismatch
  • update: PowerShell Downgrade Attack - PowerShell
  • update: PowerShell Profile Modification - Reduce rule level to medium
  • update: Recon Command Output Piped To Findstr.EXE - Logic re-write
  • update: Registry Persistence via Service in Safe Mode - Fix typo in title
  • update: Remote PowerShell Session (PS Classic)
  • update: Renamed Powershell Under Powershell Channel
  • update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental
  • update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
  • update: Suspicious Non PowerShell WSMAN COM Provider
  • update: Suspicious PowerShell Download
  • update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
  • update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
  • update: Tamper Windows Defender - PSClassic
  • update: Uncommon PowerShell Hosts
  • update: Use Get-NetTCPConnection
  • update: Weak or Abused Passwords In CLI - Increase coverage
  • update: Zip A Folder With PowerShell For Staging In Temp - PowerShell

Fixed Rules

  • fix: Creation of an Executable by an Executable
  • fix: File or Folder Permissions Modifications
  • fix: Import New Module Via PowerShell CommandLine
  • fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource
  • fix: Potential System DLL Sideloading From Non System Locations
  • fix: Process Terminated Via Taskkill
  • fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
  • fix: Suspicious Sysmon as Execution Parent - Typo and restructure
  • fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue

Acknowledgement

Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Don't miss a new sigma release

NewReleases is sending notifications on new releases.