SigmaHQ/sigma r2024-03-26

Release r2024-03-26

on GitHub

New Rules

• new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
• new: Certificate-Based Authentication Enabled
• new: Container With A hostPath Mount Created
• new: Creation Of Pod In System Namespace
• new: Deployment Deleted From Kubernetes Cluster
• new: Kubernetes Events Deleted
• new: Kubernetes Secrets Enumeration
• new: MaxMpxCt Registry Value Changed
• new: New Kubernetes Service Account Created
• new: New Root Certificate Authority Added
• new: Potential KamiKakaBot Activity - Lure Document Execution
• new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
• new: Potential KamiKakaBot Activity - Winlogon Shell Persistence
• new: Potential Remote Command Execution In Pod Container
• new: Potential Sidecar Injection Into Running Deployment
• new: Privileged Container Deployed
• new: RBAC Permission Enumeration Attempt
• new: Remote Access Tool - Team Viewer Session Started On Linux Host
• new: Remote Access Tool - Team Viewer Session Started On MacOS Host
• new: Remote Access Tool - Team Viewer Session Started On Windows Host
• new: Service Binary in User Controlled Folder

Updated Rules

• update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
• update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
• update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
• update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
• update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
• update: Communication To Uncommon Destination Ports - Add link-local address range
• update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
• update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
• update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
• update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
• update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
• update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
• update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
• update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
• update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
• update: Exports Registry Key To a File - Update rule to use the windash modifier
• update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
• update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
• update: Imports Registry Key From a File - Update rule to use the windash modifier
• update: Imports Registry Key From an ADS - Update rule to use the windash modifier
• update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
• update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
• update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
• update: Msiexec Quiet Installation - Update rule to use the windash modifier
• update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
• update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
• update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
• update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
• update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
• update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
• update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
• update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
• update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
• update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
• update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
• update: Potentially Suspicious Malware Callback Communication - Add link-local address range
• update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
• update: Publicly Accessible RDP Service - Add link-local address range
• update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
• update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
• update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
• update: Replace.exe Usage - Update rule to use the windash modifier
• update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
• update: Rundll32 Internet Connection - Add link-local address range
• update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
• update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
• update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
• update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
• update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
• update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic
• update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
• update: Suspicious DNS Query for IP Lookup Service APIs - Fix ip.cn
• update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
• update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
• update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
• update: Suspicious Network Connection to IP Lookup Service APIs - Fix ip.cn
• update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
• update: Sysmon Configuration Update - Update rule to use the windash modifier
• update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
• update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
• update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
• update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
• update: WebDav Put Request - Update rule to use cidr modifier
• update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

Removed / Deprecated Rules

• remove: Adwind RAT / JRAT - Registry
• remove: Service Binary in Uncommon Folder

Fixed Rules

• fix: EVTX Created In Uncommon Location - Reduce level and remove filters
• fix: Files With System Process Name In Unsuspected Locations - Add additional paths
• fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
• fix: New RUN Key Pointing to Suspicious Folder
• fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs

Acknowledgement

Thanks to @cyb3rjy0t, @frack113, @joshnck, @LAripping , @nasbench, @phantinuss, @security-companion, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.