New Rules
- new: Binary Proxy Execution Via Dotnet-Trace.EXE
- new: Forfiles.EXE Child Process Masquerading
- new: GCP Access Policy Deleted
- new: GCP Break-glass Container Workload Deployed
- new: Google Workspace Application Access Levels Modified
- new: HackTool - EDRSilencer Execution
- new: HackTool - NoFilter Execution
- new: PUA - PingCastle Execution
- new: PUA - PingCastle Execution From Potentially Suspicious Parent
- new: Peach Sandstorm APT Process Activity Indicators
- new: Potential Peach Sandstorm APT C2 Communication Activity
- new: Potential Persistence Via AppCompat RegisterAppRestart Layer
- new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- new: Renamed PingCastle Binary Execution
- new: System Control Panel Item Loaded From Uncommon Location
- new: System Information Discovery Using System_Profiler
- new: System Integrity Protection (SIP) Disabled
- new: System Integrity Protection (SIP) Enumeration
- new: Windows Filtering Platform Blocked Connection From EDR Agent Binary
Updated Rules
- update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
- update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
- update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
- update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
- update: Hacktool Named File Stream Created - Added new Imphash values for
EDRSandBlast
,EDRSilencer
andForensia
utilities. - update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
- update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
- update: Potential Persistence Via MyComputer Registry Keys - Remove
SOFTWARE
registry key anchor to increase coverage forWOW6432Node
cases - update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
- update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
- update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
- update: Remote PowerShell Session (PS Classic) - Reduce level to low
- update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
- update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
- update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
- update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
- update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
Removed / Deprecated Rules
- remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
Fixed Rules
- fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
- fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
- fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
- fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
- fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools
Acknowledgement
Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.