New Rules
- new: .RDP File Created by Outlook Process
- new: Access To Browser Credential Files By Uncommon Applications - Security
- new: Command Executed Via Run Dialog Box - Registry
- new: DNS Request From Windows Script Host
- new: ETW Logging/Processing Option Disabled On IIS Server
- new: Group Policy Abuse for Privilege Addition
- new: HTTP Logging Disabled On IIS Server
- new: Network Connection Initiated To BTunnels Domains
- new: New Module Module Added To IIS Server
- new: Potential Python DLL SideLoading
- new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
- new: PowerShell Web Access Feature Enabled Via DISM
- new: PowerShell Web Access Installation - PsScript
- new: Previously Installed IIS Module Was Removed
- new: Process Deletion of Its Own Executable
- new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
- new: Startup/Logon Script Added to Group Policy Object
Updated Rules
- update: .RDP File Created By Uncommon Application - Add
olk.exeto cover the new version of outlook - update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11
- update: Alternate PowerShell Hosts Pipe - Add optional filter for
AzureConnectedMachineAgentand update old filters to be more accurate - update: Antivirus Hacktool Detection - Add additional hacktools signature names.
- update: Antivirus Password Dumper Detection - Add
DCSyncstring to cover MS Defender traffic detections - update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
- update: Antivirus Ransomware Detection - Add additional ransomware signature names.
- update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
- update: DNS Query To Remote Access Software Domain From Non-Browser App - Add
remoteassistance.support.services.microsoft.com,tailscale.com,twingate.com - update: Disable Windows Defender Functionalities Via Registry Keys - Remove
\Real-Time Protection\prefix to increase coverage. - update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
- update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
- update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
- update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
- update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
- update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136
- update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for
0x00A0 - update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for
0x00A0 - update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives.
- update: Potentially Suspicious JWT Token Search Via CLI - added the
eyJhbGciOistring, corresponding to{"alg":from the JWT token header. - update: Process Terminated Via Taskkill - Add
/pidflag and windash support - update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage.
- update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
- update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the
HostApplicationfield is null - update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the
HostApplicationfield is null - update: BITS Transfer Job Download From File Sharing Domains - Add
pixeldrain.com - update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add
{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31} - update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add
pixeldrain.com - update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add
pixeldrain.com - update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE* - Add
pixeldrain.com - update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add
pixeldrain.com - update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add
pixeldrain.com - update: Suspicious File Download From File Sharing Websites - File Stream - Add
pixeldrain.com - update: Suspicious Windows Service Tampering - Add "WSearch"
- update: Unusual File Download From File Sharing Websites - File Stream - Add
pixeldrain.com
Fixed Rules
- fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
- fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent".
- fix: PwnKit Local Privilege Escalation - Fix typo with the word
suspicious - fix: UNC2452 Process Creation Patterns - Add the missing
allmodifier
Acknowledgement
Thanks to @ahmedfarou22, @bharat-arora-magnet, @BlackB0lt, @CheraghiMilad, @dan21san, @defensivedepth, @deFr0ggy, @djlukic, @frack113, @fukusuket, @ionsor, @jaegeral, @joshnck, @Koifman, @Mahir-Ali-khan, @MalGamy12, @MHaggis, @Milad Cheraghi, @nasbench, @Neo23x0, @ruppde, @secDre4mer, @swachchhanda000, @tsale, @wieso-itzi, @X-Junior for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.