github SigmaHQ/sigma r2025-11-01
Release r2025-11-01
on GitHub

2 days ago

New Rules

  • new: AWS Bucket Deleted
  • new: AWS Console Login Monitoring
  • new: AWS ConsoleLogin Failed Authentication
  • new: AWS EnableRegion Command Monitoring
  • new: AWS IAM user with Console Access Login Without MFA (#5074)
  • new: AWS KMS Imported Key Material Usage
  • new: AWS STS GetCallerIdentity Enumeration Via TruffleHog
  • new: AWS VPC Flow Logs Deleted
  • new: Audit Rules Deleted Via Auditctl
  • new: BaaUpdate.exe Suspicious DLL Load
  • new: FTP Connection Open Attempt Via Winscp CLI
  • new: File Access Of Signal Desktop Sensitive Data
  • new: GitHub Repository Archive Status Changed
  • new: GitHub Repository Pages Site Changed to Public
  • new: Hacktool - EDR-Freeze Execution
  • new: IIS WebServer Log Deletion via CommandLine Utilities
  • new: ISATAP Router Address Was Set
  • new: Installation of WSL KaliLinux
  • new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
  • new: Linux Sudo Chroot Execution
  • new: Mask System Power Settings Via Systemctl
  • new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
  • new: PUA - Restic Backup Tool Execution
  • new: Potential Executable Run Itself As Sacrificial Process
  • new: Potential Exploitation of GoAnywhere MFT vulnerability
  • new: Potential Lateral Movement via Windows Remote Shell
  • new: Python WebServer Execution - Linux
  • new: RunMRU Registry Key Deletion
  • new: RunMRU Registry Key Deletion - Registry
  • new: Suspicious BitLocker Access Agent Update Utility Execution (#5502)
  • new: Syslog Clearing or Removal Via System Utilities
  • new: Unsigned or Unencrypted SMB Connection to Share Established
  • new: WFP Filter Added via Registry
  • new: WSL Kali Linux Usage
  • new: WinRAR Creating Files in Startup Locations
  • new: Winrs Local Command Execution
  • new: Winscp Execution From Non Standard Folder

Updated Rules

  • update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
  • update: AWS Successful Console Login Without MFA - only alert on successful logins
  • update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
  • update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
  • update: Local Accounts Discovery - add OriginalFileName field
  • update: Modify System Firewall - add nftables delete/flush
  • update: PFX File Creation - Enhance filters, metadata and logic
  • update: Potential LSASS Process Dump Via Procdump - expand flags and service-names detection
  • update: Potentially Suspicious JWT Token Search Via CLI - add selection for common search tools
  • update: PowerShell Download Pattern - add powershell_ise
  • update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
  • update: Suspicious C2 Activities - update definition (#5142)
  • update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy
  • update: Suspicious Startup Folder Persistence: add more suspicious extensions
  • update: Use Short Name Path in Image - change detection logic structure
  • update: WinRAR Execution in Non-Standard Folder - update PE metadata

Removed / Deprecated Rules

  • remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
  • remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628
  • remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
  • remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073

Fixed Rules

  • fix: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - filter hexnode
  • fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
  • fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
  • fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
  • fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
  • fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
  • fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171)
  • fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage
  • fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
  • fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
  • fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
  • fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
  • fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats
  • fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters
  • fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Potential PowerShell Obfuscation Using Alias Cmdlets - filter legitimate cim aliases
  • fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
  • fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
  • fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
  • fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529)
  • fix: Registry Persistence via Service in Safe Mode - filter hexnode
  • fix: SMB Create Remote File Admin Share - filter out local IP
  • fix: Startup Folder File Write - Add a filter for OneNote
  • fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
  • fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
  • fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Suspicious Non PowerShell WSMAN COM Provider - filter hexnode
  • fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
  • fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
  • fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
  • fix: Sysmon Channel Reference Deletion - AccessMask should be a string
  • fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
  • fix: System File Execution Location Anomaly - add filter for wsl fps
  • fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
  • fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
  • fix: Uncommon PowerShell Hosts - filter hexnode
  • fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
  • fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
  • fix: WannaCry Ransomware Activity - remove generic indicators (#5131)

Acknowledgement

Thanks to @adanalvarez, @BalsamicSentry, @BIitzkrieg, @CheraghiMilad, @david-syk, @djlukic, @EzLucky, @frack113, @kagebunsher, @KingKDot, @Koifman, @Liran017, @mlakri, @mm-abdelghani, @nasbench, @netgrain, @NinnessOtu, @peterydzynski, @phantinuss, @rkmbaxed, @RobertN87, @saakovv, @swachchhanda000, @thuya-hacktilizer, @toopricey, @vasquja, @vl43den, @YamatoSecurity, @zambomarcell for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Check out latest releases or
releases around SigmaHQ/sigma r2025-11-01

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications