New Rules
- new: Cisco Duo Successful MFA Authentication Via Bypass Code
- new: Forest Blizzard APT - Custom Protocol Handler Creation
- new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- new: Forest Blizzard APT - File Creation Activity
- new: Forest Blizzard APT - JavaScript Constrained File Creation
- new: Forest Blizzard APT - Process Creation Activity
- new: Network Connection Initiated By RegAsm.EXE
- new: Outbound Network Connection Initiated By Microsoft Dialer
- new: PUA - SoftPerfect Netscan Execution
- new: Pnscan Binary Data Transmission Activity
- new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
- new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- new: Potential KeyScrambler.exe DLL Side-loading
- new: Python Path Configuration File Creation - Linux
- new: Python Path Configuration File Creation - Macos
- new: Python Path Configuration File Creation - Windows
Updated Rules
- update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
- update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
- update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
- update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
- update: COM Object Execution via Xwizard.EXE - Update logic
- update: Gatekeeper Bypass via Xattr - Update command line flag
- update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
- update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
- update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
- update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI
- update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI
- update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI
- update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard
- update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI
- update: JScript Compiler Execution - Update metadata
- update: Linux Command History Tampering - Increase coverage to include other history files
- update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
- update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
- update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
- update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
- update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
- update: Suspicious Volume Shadow Copy VSS_PS.dll Load - regularly loaded by wsmprovhost.exe
- update: Windows Kernel Debugger Execution - Reduce level to "medium"
- update: Xwizard.EXE Execution From Non-Default Location - Update description
Fixed Rules
- fix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out "chrome" and "firefox" processes.
- fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
- fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
- fix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal
- fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
- fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
- fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
- fix: Windows Binaries Write Suspicious Extensions - fix selection
Acknowledgement
Thanks to @CertainlyP, @dan21san, @frack113, @fukusuket, @jamesc-grafana, @nasbench, @Neo23x0, @netgrain, @nikitah4x, @phantinuss, @PiRomant, @pratinavchandra, @ruppde, @signalblur, @swachchhanda000, @TheLawsOfChaos, @thomaspatzke, @X-Junior, @ya0guang for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.