github SigmaHQ/sigma r2024-03-11
Release r2024-03-11

latest releases: r2024-11-10, r2024-09-02, r2024-07-17...
8 months ago

New Rules

  • new: Active Directory Certificate Services Denied Certificate Enrollment Request
  • new: CrackMapExec File Indicators
  • new: Github Push Protection Bypass Detected
  • new: Github Push Protection Disabled
  • new: Github Secret Scanning Feature Disabled
  • new: No Suitable Encryption Key Found For Generating Kerberos Ticket
  • new: OpenCanary - FTP Login Attempt
  • new: OpenCanary - GIT Clone Request
  • new: OpenCanary - HTTP GET Request
  • new: OpenCanary - HTTP POST Login Attempt
  • new: OpenCanary - HTTPPROXY Login Attempt
  • new: OpenCanary - MSSQL Login Attempt Via SQLAuth
  • new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
  • new: OpenCanary - MySQL Login Attempt
  • new: OpenCanary - NTP Monlist Request
  • new: OpenCanary - REDIS Action Command Attempt
  • new: OpenCanary - SIP Request
  • new: OpenCanary - SMB File Open Request
  • new: OpenCanary - SNMP OID Request
  • new: OpenCanary - SSH Login Attempt
  • new: OpenCanary - SSH New Connection Attempt
  • new: OpenCanary - TFTP Request
  • new: OpenCanary - Telnet Login Attempt
  • new: OpenCanary - VNC Connection Attempt
  • new: Potential Raspberry Robin CPL Execution Activity
  • new: Potential SentinelOne Shell Context Menu Scan Command Tampering
  • new: Renamed NirCmd.EXE Execution
  • new: Shell Context Menu Command Tampering

Updated Rules

  • update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
  • update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
  • update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Add more potential child process seen in the wild
  • update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
  • update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.

Removed / Deprecated Rules

  • remove: CrackMapExec File Creation Patterns
  • remove: Suspicious Epmap Connection

Fixed Rules

  • fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
  • fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
  • fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
  • fix: Remote Thread Creation In Uncommon Target Image - add optional filter for the Xerox Print Job Event Manager Service calling spoolsrv
  • fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list

Acknowledgement

Thanks to @benmontour, @CrimpSec, @defensivedepth, @faisalusuf, @frack113, @nasbench, @qasimqlf, @secDre4mer, @snajafov, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Don't miss a new sigma release

NewReleases is sending notifications on new releases.