New Rules
- new: Access To Chromium Browsers Sensitive Files By Uncommon Applications
- new: Access To Crypto Currency Wallets By Uncommon Applications
- new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
- new: Capsh Shell Invocation - Linux
- new: ChromeLoader Malware Execution
- new: Clipboard Data Collection Via Pbpaste
- new: Data Export From MSSQL Table Via BCP.EXE
- new: Disk Image Creation Via Hdiutil - MacOS
- new: Disk Image Mounting Via Hdiutil - MacOS
- new: DNS Query To Put.io - DNS Client
- new: Driver Added To Disallowed Images In HVCI - Registry
- new: Emotet Loader Execution Via .LNK File
- new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
- new: FakeUpdates/SocGholish Activity
- new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- new: Github Fork Private Repositories Setting Enabled/Cleared
- new: Github Repository/Organization Transferred
- new: Github SSH Certificate Configuration Changed
- new: HackTool - SharpWSUS/WSUSpendu Execution
- new: HackTool - SOAPHound Execution
- new: Headless Process Launched Via Conhost.EXE
- new: Hidden Flag Set On File/Directory Via Chflags - MacOS
- new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
- new: Inline Python Execution - Spawn Shell Via OS System Library
- new: Kerberoasting Activity - Initial Query
- new: Manual Execution of Script Inside of a Compressed File
- new: Microsoft Teams Sensitive File Access By Uncommon Application
- new: Multi Factor Authentication Disabled For User Account
- new: Obfuscated PowerShell OneLiner Execution
- new: OneNote.EXE Execution of Malicious Embedded Scripts
- new: Potential APT FIN7 Exploitation Activity
- new: Potential BOINC Software Execution (UC-Berkeley Signature)
- new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for
e0552b19-5a83-4222-b141-b36184bb8d79
- new: Potential CSharp Streamer RAT Loading .NET Executable Image
- new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
- new: Potential File Override/Append Via SET Command
- new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- new: Potential Raspberry Robin Aclui Dll SideLoading
- new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- new: Potentially Suspicious Rundll32.EXE Execution of UDL File
- new: Powershell Executed From Headless ConHost Process
- new: Process Launched Without Image Name
- new: Python Function Execution Security Warning Disabled In Excel
- new: Python Function Execution Security Warning Disabled In Excel - Registry
- new: Raspberry Robin Initial Execution From External Drive
- new: Raspberry Robin Subsequent Execution of Commands
- new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
- new: Remote Access Tool - Ammy Admin Agent Execution
- new: Remote Access Tool - AnyDesk Incoming Connection
- new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
- new: Renamed BOINC Client Execution
- new: Serpent Backdoor Payload Execution Via Scheduled Task
- new: Shell Execution GCC - Linux
- new: Shell Execution via Find - Linux
- new: Shell Execution via Flock - Linux
- new: Shell Execution via Git - Linux
- new: Shell Execution via Nice - Linux
- new: Shell Execution via Rsync - Linux
- new: Shell Invocation via Env Command - Linux
- new: Shell Invocation Via Ssh - Linux
- new: Suspicious Invocation of Shell via AWK - Linux
- new: Suspicious Process Masquerading As SvcHost.EXE
- new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- new: Unattend.XML File Access Attempt
- new: Uncommon Connection to Active Directory Web Services
- new: Ursnif Redirection Of Discovery Commands
- new: User Risk and MFA Registration Policy Updated
Updated Rules
- update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder
- update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder
- update: Access To Windows Credential History File By Uncommon Applications - Update filters
- update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters
- update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder
- update: Antivirus Exploitation Framework Detection - Add additional keywords and strings to enhance coverage
- update: Antivirus Hacktool Detection - Add additional keywords and strings to enhance coverage
- update: Antivirus Password Dumper Detection - Add additional keywords and strings to enhance coverage
- update: Antivirus Ransomware Detection - Add additional keywords and strings to enhance coverage
- update: Antivirus Relevant File Paths Alerts - Add additional keywords and strings to enhance coverage
- update: Antivirus Web Shell Detection - Add additional keywords and strings to enhance coverage
- update: BITS Transfer Job Download From File Sharing Domains - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Cab File Extraction Via Wusa.EXE - Move to TH folder
- update: COM Object Execution via Xwizard.EXE - Update logic
- update: Credential Manager Access By Uncommon Applications - Update filters
- update: Disable Important Scheduled Task - Add
\Windows\ExploitGuard\ExploitGuard MDM policy Refresh
- update: Github High Risk Configuration Disabled - Add
business_advanced_security.disabled
,business_advanced_security.disabled_for_new_repos
,business_advanced_security.disabled_for_new_user_namespace_repos
,business_advanced_security.user_namespace_repos_disabled
,org.advanced_security_disabled_for_new_repos
,org.advanced_security_disabled_on_all_repos
- update: Github Secret Scanning Feature Disabled - Add
secret_scanning_new_repos.disable
- update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
- update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
- update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
- update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
- update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
- update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys.
- update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value.
- update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
- update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
- update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Powershell Token Obfuscation - Powershell - Optimized used regex
- update: Powershell Token Obfuscation - Process Creation - Optimized used regex
- update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
- update: Relevant Anti-Virus Signature Keywords In Application Log - Add additional keywords and strings to enhance coverage
- update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious Remote AppX Package Locations - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
- update: Suspicious Windows Service Tampering - Add additional services and PsService.EXE
- update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains,
*.trycloudflare.com
,*.pages.dev
,*.w3spaces.com
and*.workers.dev
Removed / Deprecated Rules
- remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
- remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of
790317c0-0a36-4a6a-a105-6e576bf99a14
. - remove: Suspicious File Event With Teams Objects
- remove: Suspicious Unattend.xml File Access
Fixed Rules
- fix: A Rule Has Been Deleted From The Windows Firewall Exception List - Exclude WinSxS
- fix: Access To Potentially Sensitive Sysvol Files By Uncommon Applications - Fix error in filter modifier
- fix: AgentExecutor PowerShell Execution - Exclude
Microsoft.Management.Services.IntuneWindowsAgent.exe
- fix: Anydesk Temporary Artefact - Remove unnecessary logic from the detection section.
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases
- fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Exclude "amsiprovider_x64"
- fix: HackTool - LaZagne Execution - Fix incorrect logsource
- fix: NTLM Logon - Remove unnecessary field
- fix: Persistence and Execution at Scale via GPO Scheduled Task - Fixed field name from
Accesses
toAccessList
- fix: Potential Commandline Obfuscation Using Unicode Characters - Remove legitimate currency characters as they could be used in document names
- fix: Potential DLL Sideloading Of DbgModel.DLL - Exclude Dell Support Assistant
- fix: Potential DLL Sideloading Of DbgModel.DLL - Update selection name to match the condition
- fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
- fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex
- fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex
- fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs
- fix: Remote Service Activity via SVCCTL Named Pipe - Fixed field name from
Accesses
toAccessList
- fix: Remote Task Creation via ATSVC Named Pipe - Fixed field name from
Accesses
toAccessList
- fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
- fix: Startup Item File Created - MacOS - Fix broken logic and update metadata information
- fix: Suspicious AgentExecutor PowerShell Execution - Exclude
Microsoft.Management.Services.IntuneWindowsAgent.exe
- fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions
- fix: Suspicious SYSTEM User Process Creation - Update
ping
filter to account for other FP variants found in the wild. - fix: System Network Discovery - macOS - Add additional filter for
wifivelocityd
- fix: Uncommon AppX Package Locations - Exclude additional MS cdn domain
- fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Enhance filters and exclude empty path
- fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe
- fix: Userdomain Variable Enumeration - Add missing
expand
modifier - fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files
- fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS"
Acknowledgement
Thanks to @Alex-Walston, @cyb3rjy0t, @dan21san, @dbertho, @DefenderDaniel, @djlukic, @fornotes, @frack113, @fukusuket, @GtUGtHGtNDtEUaE, @joshnck, @LucaInfoSec, @Mahir-Ali-khan, @MATTANDERS0N, @Murphy0801, @nasbench, @Neo23x0, @omaramin17, @peterydzynski, @romain-gaillard, @secDre4mer, @swachchhanda000, @tsale, @X-Junior, @YamatoSecurity for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.