github SigmaHQ/sigma r2026-04-01
Release r2026-04-01
on GitHub

7 hours ago

New Rules

  • new: Axios NPM Compromise File Creation Indicators - Linux
  • new: Axios NPM Compromise File Creation Indicators - MacOS
  • new: Axios NPM Compromise File Creation Indicators - Windows
  • new: Axios NPM Compromise Indicators - Linux
  • new: Axios NPM Compromise Indicators - MacOS
  • new: Axios NPM Compromise Indicators - Windows
  • new: Axios NPM Compromise Malicious C2 Domain DNS Query
  • new: Azure Sign-In With Axios User Agent
  • new: Cisco Dot1x Disabled
  • new: DMSA Link Attributes Modified
  • new: DMSA Service Account Created in Specific OUs - PowerShell
  • new: Google Workspace Government Attack Warning
  • new: Google Workspace Out Of Domain Email Forwarding
  • new: HackTool - NetExec File Indicators
  • new: Hacktool - NetExec Execution
  • new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
  • new: Inbox Rules Creation Or Update Activity in O365
  • new: Indirect Command Execution via SFTP ProxyCommand
  • new: Kubernetes Potential Enumeration Activity
  • new: LiteLLM / TeamPCP Supply Chain Attack Indicators
  • new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
  • new: New DMSA Service Account Created in Specific OUs
  • new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
  • new: Notepad++ Updater DNS Query to Uncommon Domains
  • new: Okta Session Impersonation Granted From Untrusted Domain
  • new: OpenEDR Spawning Command Shell
  • new: PUA - Memory Dump Mount Via MemProcFS
  • new: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
  • new: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
  • new: Potential Vcruntime140 DLL Sideloading
  • new: Potentially Suspicious File Creation by OpenEDR's ITSMService
  • new: Python Base64 Encoded Inline Command Execution - Linux
  • new: Python Base64 Encoded Inline Command Execution - Windows
  • new: RedSun - Conhost.exe Spawned by TieringEngineService.exe
  • new: RedSun - Named Pipe Created
  • new: RedSun - TieringEngineService.exe Detected as EICAR Test File
  • new: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
  • new: Script Interpreter Spawning Credential Scanner - Linux
  • new: Script Interpreter Spawning Credential Scanner - Windows
  • new: Sensitive File Dump Via Print.EXE
  • new: Service Startup Type Change Via Wmic.EXE
  • new: Shai-Hulud 2.0 Malicious NPM Package Installation
  • new: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
  • new: Shai-Hulud Malicious Bun Execution
  • new: Shai-Hulud Malicious Bun Execution - Linux
  • new: Shai-Hulud Malware Indicators - Linux
  • new: Shai-Hulud Malware Indicators - Windows
  • new: Suspicious Child Process of Notepad++ Updater - GUP.Exe
  • new: Suspicious Child Process of SolarWinds WebHelpDesk
  • new: Suspicious Email Delivered In Microsoft 365
  • new: Suspicious Login Activity Classified By Google
  • new: System Language Discovery via Reg.Exe
  • new: System Restore Registry Modification via CommandLine
  • new: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
  • new: Uncommon File Created by Notepad++ Updater Gup.EXE
  • new: Windows EventLog Autologger Session Registry Modification Via CommandLine
  • new: msDS-ManagedAccountPrecededByLink Attribute Modified

Updated Rules

  • update: BPFDoor Abnormal Process ID or Lock File Accessed - add new file paths from Rapid7 research to increase coverage
  • update: Csc.EXE Execution Form Potentially Suspicious Parent - Update regex to use a non-capturing group
  • update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
  • update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
  • update: Dynamic .NET Compilation Via Csc.EXE - Update regex to use a non-capturing group
  • update: Files With System Process Name In Unsuspected Locations - Add fsquirt.exe entry
  • update: Github Delete Action Invoked - Rename action from 'codespaces.delete' to 'codespaces.destroy'
  • update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
  • update: Invoke-Obfuscation Obfuscated IEX Invocation - Update regex to use a non-capturing group
  • update: Invoke-Obfuscation Via Stdin - Update regex to use a non-capturing group
  • update: Invoke-Obfuscation Via Use Clip - Update regex to use a non-capturing group
  • update: LSA PPL Protection Setting Modification via CommandLine - Add more keys regarding LSA PPL
  • update: New Cron File Created - Enhance coverage and update metadata
  • update: New Okta User Created - Update field name to use CamleCase
  • update: Obfuscated IP Download Activity - Update regex to use a non-capturing group
  • update: Obfuscated IP Via CLI - Update regex to use a non-capturing group
  • update: Okta 2023 Breach Indicator Of Compromise - Update field name to use CamleCase
  • update: Okta API Token Created - Update field name to use CamleCase
  • update: Okta API Token Revoked - Update field name to use CamleCase
  • update: Okta Admin Role Assigned to an User or Group - Update field name to use CamleCase
  • update: Okta Admin Role Assignment Created - Update field name to use CamleCase
  • update: Okta Application Modified or Deleted - Update field name to use CamleCase
  • update: Okta Application Sign-On Policy Modified or Deleted - Update field name to use CamleCase
  • update: Okta FastPass Phishing Detection - Update field name to use CamleCase
  • update: Okta Identity Provider Created - Update field name to use CamleCase
  • update: Okta MFA Reset or Deactivated - Update field name to use CamleCase
  • update: Okta Network Zone Deactivated or Deleted - Update field name to use CamleCase
  • update: Okta New Admin Console Behaviours - Update field name to use CamleCase
  • update: Okta Policy Modified or Deleted - Update field name to use CamleCase
  • update: Okta Policy Rule Modified or Deleted - Update field name to use CamleCase
  • update: Okta Security Threat Detected - Update field name to use CamleCase
  • update: Okta Suspicious Activity Reported by End-user - Update field name to use CamleCase
  • update: Okta Unauthorized Access to App - Update field name to use CamleCase
  • update: Okta User Account Locked Out - Update field name to use CamleCase
  • update: Okta User Session Start Via An Anonymising Proxy Service - Update field name to use CamleCase
  • update: Potential AutoLogger Sessions Tampering - Update the value to an accurate one
  • update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
  • update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted
  • update: Potential Dropper Script Execution Via WScript/CScript/MSHTA - Add additional file path and extension for coverage and enhance metadata
  • update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted
  • update: Potential Okta Password in AlternateID Field - Update field name to use CamleCase
  • update: Potential Rundll32 Execution With DLL Stored In ADS - Update regex to use a non-capturing group
  • update: Potentially Suspicious Powershell Script Execution From Temp Folder - Reduce level to medium and enhance metadata
  • update: PowerShell Download Via Net.WebClient - PowerShell Classic - Reduce level to "low" and update metadata
  • update: Powershell Token Obfuscation - Process Creation - Update regex to use a non-capturing group
  • update: Script Interpreter Execution From Suspicious Folder - Add additional file path for coverage and enhance metadata
  • update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.
  • update: Shai-Hulud Malicious GitHub Workflow Creation - Add new entries to the list to increase coverage
  • update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy
  • update: Suspicious Copy From or To System Directory - Update regex to use a non-capturing group
  • update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
  • update: System Control Panel Item Loaded From Uncommon Location - Add entries for bthprops.cpl and hdwwiz.cpl
  • update: System File Execution Location Anomaly - Add fsquirt.exe entry
  • update: System File Execution Location Anomaly - add finger.exe
  • update: Uncommon Svchost Command Line Parameter - Update regex to use a non-capturing group
  • update: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Add entry for .wsh files
  • update: WScript or CScript Dropper - File - Enhance coverage with multiple file paths and extesnions
  • update: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze - change it into hunting rule

Removed / Deprecated Rules

  • remove: Suspicious PowerShell Mailbox SMTP Forward Rule

Fixed Rules

  • fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add filter entry for "tscdn.m365.static.microsoft"
  • fix: BloodHound Collection Files - Remove entry _domains.json due to FP rate.
  • fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
  • fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter entry for MS office path
  • fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others
  • fix: HackTool - WSASS Execution - update regex to avoid mismatching on legitimate cli
  • fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion
  • fix: Non Interactive PowerShell Process Spawned - Add filter entry for "SenseIR.exe"
  • fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch /usr/share/factory/etc/nsswitch.conf
  • fix: Notepad++ Updater DNS Query to Uncommon Domains - filter uncommon domain
  • fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
  • fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README
  • fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe
  • fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for /^* and s/^ usage with sed
  • fix: Registry Tampering by Potentially Suspicious Processes - add filter for legitimate wscript.exe registry modifications
  • fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
  • fix: Security Support Provider (SSP) Added to LSA Configuration - Add filter for null image field
  • fix: Suspicious Double Extension Files - Add a new filter /usr/share/icons/
  • fix: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location - remove troublesome locations commonly used by installers
  • fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
  • fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
  • fix: Uncommon File Created by Notepad++ Updater Gup.EXE - filter gup legitimate filter
  • fix: ffice Macro File Creation - Exclude office binaries

Acknowledgement

Thanks to @Axel-NTT, @CheraghiMilad, @CHIRAG-DAMANI-08, @davidljohnson, @djlukic, @EzLucky, @FlorianBracq, @frack113, @HueCodes, @Luke57, @marcopedrinazzi, @marius-benthin, @mostafa, @nasbench, @Neo23x0, @netikus, @phantinuss, @Sanskar-bot, @Securityinbits, @st0pp3r, @swachchhanda000, @tsale, @uniqu3-us3r, @zendannyy, @Zirbo for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Check out latest releases or
releases around SigmaHQ/sigma r2026-04-01

Don't miss a new sigma release

NewReleases is sending notifications on new releases.

Get notifications