github SigmaHQ/sigma r2025-02-03
Release r2025-02-03
on GitHub

one day ago

New Rules

  • new: Azure Login Bypassing Conditional Access Policies
  • new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  • new: Suspicious Binaries and Scripts in Public Folder
  • new: Suspicious Invocation of Shell via Rsync
  • new: Windows Event Log Access Tampering Via Registry

Updated Rules

  • update: Exploit Framework User Agent - Add default Havoc C2 UA
  • update: Renamed Powershell Under Powershell Channel - Update regex to use \s+ to account for different parsers
  • update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
  • update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use \s+ to account for different parsers
  • update: Suspicious Windows Service Tampering - Add additional services

Removed / Deprecated Rules

  • remove: Windows Defender Exclusion Deleted

Fixed Rules

  • fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add dn.onenote.net/ and cdn.office.net/
  • fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for Kaspersky and mDNS Responder
  • fix: Failed Code Integrity Checks - Add filters for CrowdStrike.
  • fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
  • fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
  • fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
  • fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for \Windows\SoftwareDistribution\Download\
  • fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter C:\ProgramData\Package Cache\{ to account for cases like the execution of vcredist
  • fix: Privileged User Has Been Created - Add missing comma to avoid false positives
  • fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the HTool string to avoid unintended matches.
  • fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.
  • fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
  • fix: Uncommon AppX Package Locations - Add https://installer.teams.static.microsoft/
  • fix: WCE wceaux.dll Access - Remove EventIDs 4658 and 4660 as they both do not contain the ObjectName field

Acknowledgement

Thanks to @DanielKoifman, @defensivedepth, @djlukic, @frack113, @GtUGtHGtNDtEUaE, @joshnck, @krdmnbrk, @nasbench, @Neo23x0, @samuelmonsempessenthorus, @Ti-R, @tsale, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Check out latest releases or
releases around SigmaHQ/sigma r2025-02-03

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications