New Rules
- new: ADExplorer Writing Complete AD Snapshot Into .dat File
- new: CrushFTP RCE vulnerability CVE-2025-54309
- new: Delete Defender Scan ShellEx Context Menu Registry Key
- new: Disabling Windows Defender WMI Autologger Session via Reg.exe
- new: FunkLocker Ransomware File Creation
- new: Low Reputation Effective Top-Level Domain (eTLD)
- new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
- new: MMC Loading Script Engines DLLs
- new: MacOS FileGrabber Infostealer
- new: NodeJS Execution of JavaScript File
- new: Password Never Expires Set via WMI
- new: Potential ClickFix Execution Pattern - Registry
- new: Potential Hello-World Scraper Botnet Activity
- new: Potential JLI.dll Side-Loading
- new: Potential PowerShell Console History File Access Attempt
- new: Potential SAP NetWeaver Webshell Creation
- new: Potential SAP NetWeaver Webshell Creation - Linux
- new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
- new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
- new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
- new: Potentially Suspicious Child Processes Spawned by ConHost
- new: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
- new: Registry Manipulation via WMI Stdregprov
- new: Remote Access Tool - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
- new: Scheduled Task Creation Masquerading as System Processes
- new: Schtasks Curl Download and Powershell Execution Combination
- new: Security Event Logging Disabled Via MiniNt Registry Key - Process
- new: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set
- new: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
- new: Suspicious Child Process of SAP NetWeaver
- new: Suspicious Child Process of SAP NetWeaver - Linux
- new: Suspicious Creation of .library-ms File - Potential CVE-2025-24054 Exploit
- new: Suspicious File Created in Outlook Temporary Directory
- new: Suspicious File Write to SharePoint Layouts Directory
- new: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- new: Suspicious Uninstall of Windows Defender Feature via PowerShell
- new: Suspicious Velociraptor Child Process
- new: WDAC Policy File Creation In CodeIntegrity Folder
- new: Windows Defender Context Menu Removed via Reg.exe
- new: Windows Defender Default Threat Action Modified
- new: Windows Recovery Environment Disabled Via Reagentc
Updated Rules
- update: Active Directory Database Snapshot Via ADExplorer - add more selections
- update: Certificate Use With No Strong Mapping - Update Provider Name
- update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
- update: DNS Query Tor .Onion Address - Sysmon - update detection logic
- update: DNS TOR Proxies - update detection logic
- update: KDC RC4-HMAC Downgrade CVE-2022-37966 - Update Provider Name
- update: Network Connection Initiated To BTunnels Domains - MITRE tags
- update: Network Connection Initiated To Cloudflared Tunnels Domains - MITRE tags
- update: Network Connection Initiated To DevTunnels Domain - MITRE tags
- update: Network Connection Initiated To Mega.nz - MITRE tag
- update: Network Connection Initiated To Visual Studio Code Tunnels Domain - MITRE tags
- update: No Suitable Encryption Key Found For Generating Kerberos Ticket - Update Provider Name
- update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
- update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
- update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
- update: Potential Defense Evasion Via Binary Rename - add 7za
- update: Potential Defense Evasion Via Right-to-Left Override - add
[U+202E]
- update: Potential File Extension Spoofing Using Right-to-Left Override - add
[U+202E]
and more extensions - update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
- update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
- update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
- update: Python Image Load By Non-Python Process - update the metadata
- update: Query Tor Onion Address - DNS Client - update detection logic
- update: Regsvr32 DLL Execution With Suspicious File Extension - add coverage for regsvr executing '.log' extension
- update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
- update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash
- update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections
- update: Suspicious Double Extension Files - add .svg extension
- update: Suspicious Dropbox API Usage - MITRE tags
- update: Suspicious Get Local Groups Information - PowerShell - increase coverage for WMI modules
- update: Suspicious Invoke-WebRequest Execution - add powershell_ise
- update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
- update: Suspicious Non-Browser Network Communication With Telegram API - MITRE tag
- update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet
- update: Suspicious Windows Service Tampering - add coverage for Windows service tampering through wmic and PowerShell WMI module
- update: System File Execution Location Anomaly - add taskhostw
- update: Unsigned DLL Loaded by Windows Utility - also filter SignatureStatus 'valid'
- update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
- update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
- update: Visual Studio Code Tunnel Execution - remove optional flag '--name'
Removed / Deprecated Rules
- remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
- remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
Fixed Rules
- fix: Added Credentials to Existing Application - fix filter dash type, capitalization and spaces to match Azure log format
- fix: COM Hijacking via TreatAs - Add filter for integrator.exe
- fix: HackTool - LaZagne Execution - remove imphashes common to pyinstaller bundled executables
- fix: New Service Creation Using Sc.EXE - add filter for dropbox
- fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
- fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
- fix: Potential PsExec Remote Execution - add filter for localhost
- fix: Potential Python DLL SideLoading - add FP filter caused by pyinstaller bundled applications
- fix: Process Initiated Network Connection To Ngrok Domain - fix title and update MITRE tags
- fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
- fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
- fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
- fix: UNC4841 - Barracuda ESG Exploitation Indicators - FPs with mknod on Linux systems
- fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
- fix: Windows Event Log Access Tampering Via Registry
- fix: potentially suspicious execution from tmp folder
- fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder
Acknowledgement
Thanks to @0xbcf, @0xPrashanthSec, @egycondor, @EzLucky, @frack113, @gkazimiarovich, @JasonPhang98, @josamontiel, @Koifman, @Liran017, @M1ra1B0T, @MATTANDERS0N, @nasbench, @Neo23x0, @netgrain, @nisargsuthar, @norbert791, @peterydzynski, @phantinuss, @resp404nse, @ruppde, @swachchhanda000, @Ti-R, @vl43den, @YxinMiracle for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.