SigmaHQ/sigma r2024-05-13 on GitHub

new: Access To Windows Outlook Mail Files By Uncommon Application
new: All Backups Deleted Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Launch Agent/Daemon Execution Via Launchctl
new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
new: New RDP Connection Initiated From Domain Controller
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
new: Potentially Suspicious Child Process Of KeyScrambler.exe
new: Potentially Suspicious Malware Callback Communication - Linux
new: Sensitive File Dump Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
new: Suspicious External WebDAV Execution
new: UAC Notification Disabled
new: UAC Secure Desktop Prompt Disabled

update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
update: UAC Disabled - update metadata
update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

SigmaHQ/sigma r2024-05-13 Release r2024-05-13 on GitHub