New Rules
- new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- new: Chromium Browser Instance Executed With Custom Extension
- new: Credential Dumping Activity By Python Based Tool
- new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- new: HackTool - Generic Process Access
- new: HackTool - WinPwn Execution
- new: HackTool - WinPwn Execution - ScriptBlock
- new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- new: Load Of RstrtMgr DLL From Suspicious Process
- new: Load Of RstrtMgr.DLL By An Uncommon Process
- new: New Netsh Helper DLL Registered From A Suspicious Location
- new: Potential CVE-2023-46214 Exploitation Attempt
- new: Potential Linux Process Code Injection Via DD Utility
- new: Potential Persistence Via Netsh Helper DLL - Registry
- new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- new: Suspicious Path In Keyboard Layout IME File Registry Value
- new: Uncommon Extension In Keyboard Layout IME File Registry Value
- new: Wusa.EXE Executed By Parent Process Located In Suspicious Location
Updated Rules
- update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
- update: Credential Dumping Attempt Via WerFault - Update title
- update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
- update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
- update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
- update: HackTool - CobaltStrike BOF Injection Pattern - Update title
- update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
- update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
- update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
- update: HackTool - winPEAS Execution - Add additional image names for winPEAS
- update: LSASS Access From Potentially White-Listed Processes - Update title and description
- update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
- update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
- update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
- update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
- update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
- update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
- update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
- update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
- update: Potential Process Hollowing Activity - Update FP filter
- update: Potential Shellcode Injection - Update title and enhance false positive filter
- update: Potentially Suspicious GrantedAccess Flags On LSASS -
- update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
- update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
- update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
- update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
- update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
- update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
- update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone
Removed / Deprecated Rules
- remove: Credential Dumping Tools Accessing LSASS Memory
Fixed Rules
- fix: File or Folder Permissions Modifications - FPs with partial paths
- fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
- fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
- fix: Potential NT API Stub Patching - Tune FP filter
- fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter
Acknowledgement
Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.