github SigmaHQ/sigma r2025-12-01
Release r2025-12-01
on GitHub

6 hours ago

New Rules

  • new: AWS GuardDuty Detector Deleted Or Updated
  • new: Atomic MacOS Stealer - FileGrabber Activity
  • new: Atomic MacOS Stealer - Persistence Indicators
  • new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy
  • new: DNS Query by Finger Utility
  • new: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
  • new: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
  • new: FortiGate - Firewall Address Object Added
  • new: FortiGate - New Administrator Account Created
  • new: FortiGate - New Firewall Policy Added
  • new: FortiGate - New Local User Created
  • new: FortiGate - New VPN SSL Web Portal Added
  • new: FortiGate - User Group Modified
  • new: FortiGate - VPN SSL Settings Modified
  • new: Grixba Malware Reconnaissance Activity
  • new: HackTool - WSASS Execution
  • new: Network Connection Initiated via Finger.EXE
  • new: Potentially Suspicious Long Filename Pattern - Linux
  • new: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
  • new: Registry Modification Attempt Via VBScript
  • new: Registry Modification Attempt Via VBScript - PowerShell
  • new: Registry Tampering by Potentially Suspicious Processes
  • new: Renamed Schtasks Execution
  • new: Suspicious ClickFix/FileFix Execution Pattern
  • new: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
  • new: Suspicious FileFix Execution Pattern
  • new: Suspicious Filename with Embedded Base64 Commands
  • new: Suspicious Kerberos Ticket Request via CLI
  • new: Suspicious Space Characters in RunMRU Registry Path - ClickFix
  • new: Suspicious Space Characters in TypedPaths Registry Path - FileFix
  • new: Suspicious Usage of For Loop with Recursive Directory Search in CMD
  • new: Uncommon Svchost Command Line Parameter
  • new: Unsigned .node File Loaded
  • new: Windows Default Domain GPO Modification
  • new: Windows Default Domain GPO Modification via GPME

Updated Rules

  • update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - add clsid of twinapi.dll
  • update: Copy From Or To Admin Share Or Sysvol Folder - some logic change
  • update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
  • update: DNS Query to External Service Interaction Domains - add additional domains and filters
  • update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
  • update: FileFix - Command Evidence in TypedPaths - Added more markers
  • update: JexBoss Command Sequence - Update the selection to use the |all modifier.
  • update: LOL-Binary Copied From System Directory - Add ie4uinit.exe
  • update: PPL Tampering Via WerFaultSecure - Rename and update metadata
  • update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
  • update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
  • update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
  • update: Potential Container Discovery Via Inodes Listing - replace contains globbing with more correct patterns using regex
  • update: Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Add coverage for SecurityLayer value
  • update: Potentially Suspicious NTFS Symlink Behavior Modification - Tighten logic to focus on proxy process such as cmd or powershell
  • update: RDP Sensitive Settings Changed - Add coverage for SecurityLayer value
  • update: Suspicious Copy From or To System Directory - Update selection to use regex for better accuracy
  • update: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock - Add the "GetRequest()" string
  • update: System File Execution Location Anomaly - add Windows error reporting binaries
  • update: System Information Discovery via Registry Queries - Enhance registry markers
  • update: Tor Client/Browser Execution - Add additional PE metadata markers

Removed / Deprecated Rules

  • remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity
  • remove: Atomic MacOS Stealer - FileGrabber Infostealer Execution - deprecate in favor of e710a880-1f18-4417-b6a0-b5afdf7e33da
  • remove: Space After Filename - Logic was incorrect and untested

Fixed Rules

  • fix: Capture Credentials with Rpcping.exe - Fix incorrect usage of windash with the all modifier, that broke the logic.
  • fix: Classes Autorun Keys Modification - filter null details
  • fix: Common Autorun Keys Modification - filter null
  • fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
  • fix: CurrentVersion Autorun Keys Modification - filter null details
  • fix: CurrentVersion NT Autorun Keys Modification - filter null and poqexec.exe
  • fix: Explorer Process Tree Break - Fix incorrect usage of windash with the all modifier, that broke the logic.
  • fix: MSDT Execution Via Answer File - Rename rule as well as introduce usage of windash for increased coverage.
  • fix: Modification of IE Registry Settings - filter null details
  • fix: Office Macro File Download - Reduce level to low due to FPs spotted via VT.
  • fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
  • fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
  • fix: Potential Dtrack RAT Activity - fix problematic regex with 'OR' condition
  • fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
  • fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
  • fix: Potential Persistence Via Shim Database Modification - filter null details
  • fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic
  • fix: Potential Ursnif Malware Activity - Registry - add specific registry key
  • fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
  • fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
  • fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application
  • fix: Scheduled TaskCache Change by Uncommon Program - filter null details
  • fix: Suspicious Certreq Command to Download - remove spaces and specific path from detection
  • fix: Suspicious CustomShellHost Execution - Increased level to high due to low FP rate spotted via VT.
  • fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
  • fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
  • fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe
  • fix: WMIC Remote Command Execution - fix broken FP filter
  • fix: Wlrmdr.EXE Uncommon Argument Or Child Process - Fix incorrect usage of windash with the all modifier, that broke the logic.
  • fix: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification - filter null

Acknowledgement

Thanks to @darses, @deftoner, @EzLucky, @frack113, @HullaBrian, @inthecyber, @JasonPhang98, @jstnk9, @Koifman, @Liran017, @montysecurity, @nasbench, @phantinuss, @RiqTam, @SethHanford, @suKTech24, @swachchhanda000, @tropChaud, @tsale, @YxinMiracle for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Check out latest releases or
releases around SigmaHQ/sigma r2025-12-01

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications