New Rules
- new: Arbitrary File Download Via IMEWDBLD.EXE
- new: Arbitrary File Download Via MSEDGE_PROXY.EXE
- new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
- new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- new: CVE-2023-46747 Exploitation Activity - Proxy
- new: CVE-2023-46747 Exploitation Activity - Webserver
- new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
- new: EventLog Query Requests By Builtin Utilities
- new: F5 BIG-IP iControl Rest API Command Execution - Proxy
- new: F5 BIG-IP iControl Rest API Command Execution - Webserver
- new: Insenstive Subfolder Search Via Findstr.EXE
- new: Lace Tempest Cobalt Strike Download
- new: Lace Tempest File Indicators
- new: Lace Tempest Malware Loader Execution
- new: Lace Tempest PowerShell Evidence Eraser
- new: Lace Tempest PowerShell Launcher
- new: Msxsl.EXE Execution
- new: Network Connection Initiated To DevTunnels Domain
- new: Network Connection Initiated To Visual Studio Code Tunnels Domain
- new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- new: Potential File Download Via MS-AppInstaller Protocol Handler
- new: Remote File Download Via Findstr.EXE
- new: Remote XSL Execution Via Msxsl.EXE
- new: Windows Defender Exclusion Deleted
- new: Windows Defender Exclusion List Modified
- new: Windows Defender Exclusion Reigstry Key - Write Access Requested
Updated Rules
- update: APT User Agent - adding user agent associated with PlugX backdoor.
- update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
- update: Arbitrary File Download Via MSOHTMED.EXE - Update title
- update: Arbitrary File Download Via PresentationHost.EXE - Update title
- update: Communication To Ngrok Domains - Additional ngrok domains
- update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.
- update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely
NoDispCPL
andNoDispBackground
- update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
- update: File Download And Execution Via IEExec.EXE - Update title and description
- update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
- update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
- update: File Download Via InstallUtil.EXE - Update title and description
- update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
- update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
- update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
- update: ISO Image Mounted - Update title and add new filter
- update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
- update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
- update: Office Application Startup - Office Test - Add missing
contains
modifier - update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values
- update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
- update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
- update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions.
- update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
- update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
- update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
- update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
- update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
- update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
- update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Suspicious Appended Extension - Enhance list of extension
- update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
- update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones
- update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
- update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enhance false positives filters
- update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
- update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones
- update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
- update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
- update: smbexec.py Service Installation - align with new smbexec release
Removed / Deprecated Rules
- remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
- remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
Fixed Rules
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
- fix: Execute Code with Pester.bat - Fix a non escaped wildcard ?
- fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
- fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
- fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
- fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs
- fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
- fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
- fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
- fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
Acknowledgement
Thanks to @AaronS97, @alwashali, @celalettin-turgut, @CrimpSec, @deFr0ggy, @frack113, @fukusuket, @longmdx, @lsoumille, @mezzofix, @michaelpeacock, @mtnmunuklu, @nasbench, @Neo23x0, @netgrain, @phantinuss, @qasimqlf, @rkmbaxed, @swachchhanda000, @ThureinOo, @vj-codes, @YamatoSecurity for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.