github SigmaHQ/sigma r2024-11-10
Release r2024-11-10

13 days ago

New Rules

  • new: .RDP File Created by Outlook Process
  • new: Access To Browser Credential Files By Uncommon Applications - Security
  • new: Command Executed Via Run Dialog Box - Registry
  • new: DNS Request From Windows Script Host
  • new: ETW Logging/Processing Option Disabled On IIS Server
  • new: Group Policy Abuse for Privilege Addition
  • new: HTTP Logging Disabled On IIS Server
  • new: Network Connection Initiated To BTunnels Domains
  • new: New Module Module Added To IIS Server
  • new: Potential Python DLL SideLoading
  • new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
  • new: PowerShell Web Access Feature Enabled Via DISM
  • new: PowerShell Web Access Installation - PsScript
  • new: Previously Installed IIS Module Was Removed
  • new: Process Deletion of Its Own Executable
  • new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
  • new: Startup/Logon Script Added to Group Policy Object

Updated Rules

  • update: .RDP File Created By Uncommon Application - Add olk.exe to cover the new version of outlook
  • update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11
  • update: Alternate PowerShell Hosts Pipe - Add optional filter for AzureConnectedMachineAgent and update old filters to be more accurate
  • update: Antivirus Hacktool Detection - Add additional hacktools signature names.
  • update: Antivirus Password Dumper Detection - Add DCSync string to cover MS Defender traffic detections
  • update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
  • update: Antivirus Ransomware Detection - Add additional ransomware signature names.
  • update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
  • update: DNS Query To Remote Access Software Domain From Non-Browser App - Add remoteassistance.support.services.microsoft.com, tailscale.com, twingate.com
  • update: Disable Windows Defender Functionalities Via Registry Keys - Remove \Real-Time Protection\ prefix to increase coverage.
  • update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
  • update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
  • update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
  • update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
  • update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
  • update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136
  • update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for 0x00A0
  • update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for 0x00A0
  • update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives.
  • update: Potentially Suspicious JWT Token Search Via CLI - added the eyJhbGciOi string, corresponding to {"alg": from the JWT token header.
  • update: Process Terminated Via Taskkill - Add /pid flag and windash support
  • update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage.
  • update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
  • update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the HostApplication field is null
  • update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the HostApplication field is null
  • update: BITS Transfer Job Download From File Sharing Domains - Add pixeldrain.com
  • update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}
  • update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add pixeldrain.com
  • update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add pixeldrain.com
  • update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE* - Add pixeldrain.com
  • update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add pixeldrain.com
  • update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add pixeldrain.com
  • update: Suspicious File Download From File Sharing Websites - File Stream - Add pixeldrain.com
  • update: Suspicious Windows Service Tampering - Add "WSearch"
  • update: Unusual File Download From File Sharing Websites - File Stream - Add pixeldrain.com

Fixed Rules

  • fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
  • fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent".
  • fix: PwnKit Local Privilege Escalation - Fix typo with the word suspicious
  • fix: UNC2452 Process Creation Patterns - Add the missing all modifier

Acknowledgement

Thanks to @ahmedfarou22, @bharat-arora-magnet, @BlackB0lt, @CheraghiMilad, @dan21san, @defensivedepth, @deFr0ggy, @djlukic, @frack113, @fukusuket, @ionsor, @jaegeral, @joshnck, @Koifman, @Mahir-Ali-khan, @MalGamy12, @MHaggis, @Milad Cheraghi, @nasbench, @Neo23x0, @ruppde, @secDre4mer, @swachchhanda000, @tsale, @wieso-itzi, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Don't miss a new sigma release

NewReleases is sending notifications on new releases.