github SigmaHQ/sigma r2025-05-21
Release r2025-05-21
on GitHub

latest release: r2025-07-08
3 months ago

New Rules

  • new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
  • new: Crash Dump Created By Operating System
  • new: HTTP Request to Low Reputation TLD or Suspicious File Extension
  • new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
  • new: Notepad Password Files Discovery
  • new: PUA - AdFind.EXE Execution
  • new: PUA - NimScan Execution
  • new: Potential CVE-2024-35250 Exploitation Activity
  • new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
  • new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
  • new: Potentially Suspicious WDAC Policy File Creation
  • new: Suspicious Autorun Registry Modified via WMI
  • new: Suspicious CrushFTP Child Process
  • new: Suspicious LNK Command-Line Padding with Whitespace Characters
  • new: Suspicious Process Spawned by CentreStack Portal AppPool

Updated Rules

  • update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
  • update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
  • update: AWS New Lambda Layer Attached - Enhance metadata and logic
  • update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the AnyDesk MSI Service
  • update: Audio Capture - add ecasound detection
  • update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
  • update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
  • update: Direct Autorun Keys Modification
  • update: Elevated System Shell Spawned - Add powershell_ise
  • update: Elevated System Shell Spawned From Uncommon Parent Location - Add powershell_ise
  • update: Malicious PowerShell Commandlets - PoshModule - Add Veeam-Get-Creds
  • update: Malicious PowerShell Commandlets - ProcessCreation - Add Veeam-Get-Creds
  • update: Malicious PowerShell Scripts - FileCreation - Add Veeam-Get-Creds.ps1
  • update: Malicious PowerShell Scripts - PoshModule - Add Veeam-Get-Creds.ps1
  • update: New RUN Key Pointing to Suspicious Folder
  • update: Nslookup PowerShell Download Cradle - Add additional coverage with -type=txt http
  • update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.
  • update: Potential APT FIN7 Exploitation Activity - Add false positive description
  • update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
  • update: Potential Browser Data Stealing - add esentutl.exe
  • update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
  • update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
  • update: Potential Product Class Reconnaissance Via Wmic.EXE - Add AntiSpywareProduct class
  • update: Potentially Suspicious WDAC Policy File Creation
  • update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
  • update: Remote Access Tool - AnyDesk Execution - Add AnyDeskMSI.exe
  • update: Remote Access Tool - AnyDesk Incoming Connection - Add AnyDeskMSI.exe
  • update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add AnyDeskMSI.exe
  • update: Renamed AdFind Execution - Add additional Imphash values
  • update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status
  • update: Suspicious Binary Writes Via AnyDesk - Add AnyDeskMSI.exe
  • update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
  • update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class
  • update: Suspicious PowerShell Invocations - Specific
  • update: Suspicious PowerShell Invocations - Specific - PowerShell Module
  • update: Suspicious Powershell In Registry Run Keys
  • update: Suspicious Run Key from Download
  • update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers
  • update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
  • update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17

Fixed Rules

  • fix: Conhost Spawned By Uncommon Parent Process - Add filter for '-k wusvcs -p -s WaaSMedicSvc
  • fix: Indirect Command Exectuion via Forfiles - wrong keyword
  • fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for C:\Windows\SystemTemp\
  • fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
  • fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string
  • fix: Potential WinAPI Calls Via CommandLine - Add new filter for CompatTelRunner
  • fix: PowerShell Execution - wrong date format
  • fix: Python Initiated Connection - Add filter for pip install
  • fix: Python Initiated Connection - Enhance python filter
  • fix: Python Inline Command Execution - Add filter for whl package installations
  • fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
  • fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
  • fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent

Acknowledgement

Thanks to @CheraghiMilad, @clr2of8, @david-syk, @DFIR-Detection, @dsplice, @Eyezuhk, @frack113, @Gude5, @HannesWid, @imall4n, @jasonmull, @Koifman, @MalGamy12, @nasbench, @Neo23x0, @nickatrecon, @phantinuss, @RG9n, @signalblur, @swachchhanda000, @whichbuffer, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Check out latest releases or
releases around SigmaHQ/sigma r2025-05-21

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications