New Rules
- new: AMSI Disabled via Registry Modification
- new: Cmd Launched with Hidden Start Flags to Suspicious Targets
- new: Devcon Execution Disabling VMware VMCI Device
- new: Github Self-Hosted Runner Execution
- new: HTML File Opened From Download Folder
- new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- new: Legitimate Application Writing Files In Uncommon Location
- new: Linux Setgid Capability Set on a Binary via Setcap Utility
- new: Linux Setuid Capability Set on a Binary via Setcap Utility
- new: Linux Suspicious Child Process From Node.js - React2Shell
- new: OpenCanary - Host Port Scan (SYN Scan)
- new: OpenCanary - NMAP FIN Scan
- new: OpenCanary - NMAP NULL Scan
- new: OpenCanary - NMAP OS Scan
- new: OpenCanary - NMAP XMAS Scan
- new: OpenCanary - RDP New Connection Attempt
- new: PUA - Kernel Driver Utility (KDU) Execution
- new: Registry Modification for OCI DLL Redirection
- new: Successful MSIX/AppX Package Installation
- new: Suspicious ArcSOC.exe Child Process
- new: Suspicious File Created by ArcSOC.exe
- new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
- new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- new: Suspicious Shell Open Command Registry Modification
- new: User Shell Folders Registry Modification via CommandLine
- new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
- new: Windows AMSI Related Registry Tampering Via CommandLine
- new: Windows AppX Deployment Full Trust Package Installation
- new: Windows AppX Deployment Unsigned Package Installation
- new: Windows Credential Guard Disabled - Registry
- new: Windows Credential Guard Registry Tampering Via CommandLine
- new: Windows Credential Guard Related Registry Value Deleted - Registry
- new: Windows MSIX Package Support Framework AI_STUBS Execution
- new: Windows Suspicious Child Process From Node.js - React2Shell
- new: Windows Vulnerable Driver Blocklist Disabled
Updated Rules
- update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: AppX Located in Uncommon Directory Added to Deployment Pipeline - Enhance selection criteria
- update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: BITS Transfer Job Download From File Sharing Domains - add github.com
- update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: Creation Of Non-Existent System DLL - Add new DLLs and update metadata
- update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
- update: DNS Query to External Service Interaction Domains - Changed modifier to endswith for better accuracy and add additional domains.
- update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
- update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
- update: Hacktool - EDR-Freeze Execution - add more coverage
- update: Malicious PowerShell Commandlets - PoshModule - add Invoke-DNSExfiltrator
- update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-DNSExfiltrator
- update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-DNSExfiltrator
- update: Malicious PowerShell Scripts - FileCreation - add Invoke-DNSExfiltrator
- update: Malicious PowerShell Scripts - PoshModule - add Invoke-DNSExfiltrator
- update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
- update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
- update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
- update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add new DLLs and update metadata
- update: Potential Malicious Usage of CloudTrail System Manager - Update logic to use errorCode instead for better mapping and accuracy
- update: Potential SquiblyTwo Technique Execution - Extend coverage for remote execution
- update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - add more interesting event ids
- update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
- update: Renamed Office Binary Execution - add olk.exe matching on Microsoft Outlook
- update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
- update: Suspicious Download Via Certutil.EXE - add URL flag related with GUI-based download
- update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
- update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
- update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
- update: Suspicious File Downloaded From Direct IP Via Certutil.EXE - add URL flag related with GUI-based download
- update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add URL flag related with GUI-based download and github domain
- update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
- update: Suspicious Remote AppX Package Locations - add github.com
- update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: Unusual File Download From File Sharing Websites - File Stream - add github.com
- update: WMIC Loading Scripting Libraries - Update metadata
- update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
- update: XSL Script Execution Via WMIC.EXE - Filter out remote execution parameters to avoid duplicate alerting
Removed / Deprecated Rules
- remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac
Fixed Rules
- fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier
- fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter C:\Windows\UUS\arm64\
- fix: CredUI.DLL Loaded By Uncommon Process - filter systemapps
- fix: Files With System Process Name In Unsuspected Locations - filter windows temp
- fix: GUI Input Capture - macOS - remove osascript wrong path
- fix: Load Of RstrtMgr.DLL By An Uncommon Process - filter OneDriveStandaloneUpdater.exe
- fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - filter legitimate ARM based locations
- fix: Potential System DLL Sideloading From Non System Locations - filter legitimate ARM based locations
- fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - filter C:$WinREAgent\Scratch\
- fix: Potentially Suspicious WDAC Policy File Creation - filter wuaucltcore.exe
- fix: Rare Remote Thread Creation By Uncommon Source Image - filter provtool system
- fix: Startup Folder File Write - filter out wuauclt.exe and C:$WinREAgent\Scratch\Mount\ directory
- fix: Suspicious desktop.ini Action - filter onedrive
- fix: Unauthorized System Time Modification - filter out vmwaretools
- fix: Uncommon AppX Package Locations - filter out system32
- fix: Wow6432Node CurrentVersion Autorun Keys Modification - filter null Details
Acknowledgement
Thanks to @darses, @EzLucky, @frack113, @Koifman, @marcopedrinazzi, @MATTANDERS0N, @mbabinski, @nasbench, @Niicolaa, @phantinuss, @RiqTam, @skaynum, @swachchhanda000, @toheeb-orelope, @vl43den for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.