github SigmaHQ/sigma r2026-07-01
Release r2026-07-01

5 hours ago

New Rules

  • new: Antivirus - APT Malware Signature
  • new: Antivirus - Remote Access Tools Signature
  • new: AppLocker Application Would Have Been Blocked
  • new: Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator
  • new: Curl File Upload To File Sharing Websites
  • new: Failed Event Log Clear Via WMI NTEventLogFile ClearEventLog
  • new: LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
  • new: Linux AF_ALG Socket Creation - Kernel Crypto API Exploit Indicator
  • new: NTLM Hash Leak Via Curl NTLM Authentication
  • new: New Agent Skills Installation Attempt Via Node.EXE
  • new: Process Execution from Shared Memory Directory
  • new: RedTail Cryptominer User-Agent
  • new: Registry Enumeration via WMI Stdregprov
  • new: Signed DLL Loaded With Missing PE Version Metadata
  • new: TanStack Supply-Chain Attack DNS Indicators
  • new: TanStack Supply-Chain Attack Execution Indicators - Linux
  • new: TanStack Supply-Chain Attack Execution Indicators - Windows
  • new: TanStack Supply-Chain Attack File Creation Indicators - Linux
  • new: TanStack Supply-Chain Attack File Creation Indicators - Windows
  • new: Windows Defender Disabled Via SystemSettingsAdminFlows.EXE

Updated Rules

  • update: 7Zip Compressing Dump Files - Add missing 7zr.exe OriginalFileName entries
  • update: Amsi.DLL Load By Uncommon Process - add ARM64 (*64a.exe) variant
  • update: Antivirus - Exploitation Framework Signature - add multiple new strings
  • update: Antivirus - Hacktool Signature - add multiple new strings
  • update: Antivirus - Password Dumper Signature - add multiple new strings
  • update: Antivirus - Ransomware Signature - add multiple new strings
  • update: Antivirus - Relevant File Paths Alerts Signature - change to new style title
  • update: Antivirus - Web Shell Detection Signature - change to new style title
  • update: Application Termination Attempt Via Wmic.EXE - rename, expand description
  • update: BITS Transfer Job Download From File Sharing Domains - add more file sharing domains
  • update: Compress Data and Lock With Password for Exfiltration With 7-ZIP - Add missing 7zr.exe OriginalFileName entries
  • update: CredUI.DLL Loaded By Uncommon Process - add ARM64 (*64a.exe) variant
  • update: HackTool - SysmonEnte Execution - add ARM64 (*64a.exe) variant
  • update: Legitimate Application Dropped Executable - add .pyc, .jar extensions
  • update: Legitimate Application Dropped Script - add various scripts extensions
  • update: Local System Accounts Discovery - MacOs - Re-work logic to enhance coverage and fix incorrect assumptions
  • update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add more file sharing domains
  • update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add more file sharing domains
  • update: New Connection Initiated To Potential Dead Drop Resolver Domain - add more file sharing domains
  • update: NewActiveScriptEventConsumer Creation Attempt Via Wmic.EXE - rename, expand description, add OriginalFileName to detection
  • update: Password Protected Compressed File Extraction Via 7Zip - Add missing 7zr.exe OriginalFileName entries
  • update: Permission Check Via Accesschk.EXE - add ARM64 (*64a.exe) variant
  • update: Potential Credential Dumping Activity Via LSASS - add ARM64 (*64a.exe) variant
  • update: Potential Defense Evasion Via Binary Rename - Add missing 7zr.exe OriginalFileName entries
  • update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add ARM64 (*64a.exe) variant
  • update: Potential Privileged System Service Operation - SeLoadDriverPrivilege - add ARM64 (*64a.exe) variant
  • update: Potential Process Reconnaissance Via Wmic.EXE - rename, expand description, add discovery tags, add terminate filter
  • update: Potential WinAPI Calls Via PowerShell Scripts - add local shellcode injection patterns
  • update: Potentially Suspicious AccessMask Requested From LSASS - add ARM64 (*64a.exe) variant
  • update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - add more file sharing domains
  • update: Potentially Suspicious GrantedAccess Flags On LSASS - add ARM64 (*64a.exe) variant
  • update: Procdump Execution - add ARM64 (*64a.exe) variant
  • update: Process Creation Attempt Via Wmic.EXE - rename, expand description
  • update: Process Explorer Driver Creation By Non-Sysinternals Binary - add ARM64 (*64a.exe) variant
  • update: Process Monitor Driver Creation By Non-Sysinternals Binary - add ARM64 (*64a.exe) variant
  • update: Registry Manipulation via WMI Stdregprov - expand description, scope detection to write methods, add related reference
  • update: Renamed ProcDump Execution - add ARM64 (*64a.exe) variant
  • update: Renamed Sysinternals Sdelete Execution - add ARM64 (*64a.exe) variant
  • update: Suspicious Download From File-Sharing Website Via Bitsadmin - add more file sharing domains
  • update: Suspicious Execution Of Renamed Sysinternals Tools - Registry - add ARM64 (*64a.exe) variant
  • update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add more file sharing domains
  • update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add more file sharing domains
  • update: Suspicious File Download From File Sharing Websites - File Stream - add more file sharing domains
  • update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add more file sharing domains
  • update: Suspicious PROCEXP152.sys File Created In TMP - add ARM64 (*64a.exe) variant
  • update: Suspicious Remote AppX Package Locations - add more file sharing domains
  • update: Suspicious Service Installed - add ARM64 (*64a.exe) variant
  • update: Suspicious Start-Process PassThru - Added the alias saps for increased coverage
  • update: Suspicious Use of PsLogList - add ARM64 (*64a.exe) variant
  • update: Suspicious User-Agents Related To Recon Tools - add additional default user-agents for multiple recon utilities
  • update: Sysinternals PsService Execution - add ARM64 (*64a.exe) variant
  • update: Sysinternals PsSuspend Execution - add ARM64 (*64a.exe) variant
  • update: Sysinternals PsSuspend Suspicious Execution - add ARM64 (*64a.exe) variant
  • update: Sysmon Configuration Update - add ARM64 (*64a.exe) variant
  • update: System File Execution Location Anomaly - add wmic.exe for increased coverage
  • update: Uninstall Sysinternals Sysmon - add ARM64 (*64a.exe) variant
  • update: Unusual File Download From File Sharing Websites - File Stream - add more file sharing domains
  • update: Usage of Renamed Sysinternals Tools - RegistrySet - add ARM64 (*64a.exe) variant
  • update: Vim GTFOBin Abuse - Linux - Increase coverage and enhance logic
  • update: WMI Module Loaded By Uncommon Process - add ARM64 (*64a.exe) variant
  • update: WMI Persistence - Script Event Consumer - expand description, add reference

Fixed Rules

  • fix: Azure Application Deleted - add refs and align fields to Event Hub format
  • fix: Azure Device No Longer Managed or Compliant - add refs and align fields to Event Hub format
  • fix: Azure Owner Removed From Application or Service Principal - add refs and align fields to Event Hub format
  • fix: Azure Service Principal Created - add refs and align fields to Event Hub format
  • fix: Azure Service Principal Removed - add refs and align fields to Event Hub format
  • fix: Clipboard Access Via OSAScript - Filter OpenCode and update metadata
  • fix: Cmd.EXE Missing Space Characters Execution Anomaly - add filter for empty cmd /c argument
  • fix: CobaltStrike Named Pipe Pattern Regex - Tightened regular expression
  • fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter wualtcore
  • fix: Disabled MFA to Bypass Authentication Mechanisms - add refs and align fields to Event Hub format
  • fix: Execution Of Non-Existing File - add vmmemWSL exception
  • fix: File And SubFolder Enumeration Via Dir Command - fix mismatch with rmdir
  • fix: MacOS Scripting Interpreter AppleScript - Add filter for OpenCode
  • fix: Potential Product Reconnaissance Via Wmic.EXE - filter csproduct
  • fix: Potential Vcruntime140 DLL Sideloading - filter OneDrive
  • fix: Potentially Suspicious WDAC Policy File Creation - filter new path of wuaucltcore
  • fix: Process Reconnaissance Via Wmic.EXE- filter usage of 'call terminate'
  • fix: Service Reconnaissance Via Wmic.EXE - filter stopservice and startservice
  • fix: Suspicious Eventlog Clearing or Configuration Change Activity - Fix parentheses in condition
  • fix: Suspicious Volume Shadow Copy Vssapi.dll Load - filter winre path
  • fix: UFW Disable Attempt - Fix broken ufw-init detection and broaden UFW disable coverage
  • fix: User Added to an Administrator's Azure AD Role - add refs and align fields to Event Hub format

Acknowledgement

Thanks to @ahu-exeon, @AJ-Jeffreys, @CHIRAG-DAMANI-08, @eeee2345, @einlamye, @eriknordstrm, @EzLucky, @frack113, @fukusuket, @gkazimiarovich, @heyyanu, @kurisukun, @leogasparini, @marcopedrinazzi, @munzzyy, @nasbench, @Neo23x0, @norbert791, @Nullbyte0x, @PachkaKofe04, @phantinuss, @potato-20, @ruppde, @srkyn, @stanlee786, @swachchhanda000, @uniqu3-us3r, @vl43den, @X-Junior, @ywahl, @zendannyy for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Don't miss a new sigma release

NewReleases is sending notifications on new releases.