Releases: SigmaHQ/sigma
Release r2024-01-29
New Rules
- new: CodePage Modification Via MODE.COM
- new: CodePage Modification Via MODE.COM To Russian Language
- new: HackTool - EDRSilencer Execution - Filter Added
- new: HackTool - SharpMove Tool Execution
- new: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
- new: Unsigned DLL Loaded by RunDLL32/RegSvr32
Updated Rules
- update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
- update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
- update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
- update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
- update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
- update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
- update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
- update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
- update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
- update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
- update: Network Communication With Crypto Mining Pool - new domains from
miningocean.org
- update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
- update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
- update: New or Renamed User Account with '$' Character - Reduced level to "medium"
- update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
- update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
- update: Potential Pikabot C2 Activity - Added "searchfilterhost.exe"
- update: Potential Pikabot Discovery Activity - Added "SearchProtocolHost.exe" and "SearchFilterHost.exe"
- update: Potential Pikabot Hollowing Activity - Added "searchfilterhost"
- update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
- update: Prefetch File Deleted - Update selection to remove 'C:' prefix
- update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
- update: Rundll32 Execution With Uncommon DLL Extension - Enhanced FP filters
- update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
- update: Shell Process Spawned by Java.EXE - Add "bash.exe"
- update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
- update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
- update: Sysmon Application Crashed - Add 32bit version of sysmon binary
- update: Tap Driver Installation - Security - Reduce level to "low"
- update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
Removed / Deprecated Rules
- remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
- remove: SAM Dump to AppData
Fixed Rules
- fix: CobaltStrike Named Pipe Patterns - Add Websense named pipe filter
- fix: EventLog Query Requests By Builtin Utilities - Typo in wmic process name
- fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
- fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
- fix: Metasploit SMB Authentication - Remove unnecessary field
- fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
- fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
- fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
- fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
- fix: Service Installation in Suspicious Folder - Update FP filter
- fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic
Acknowledgement
Thanks to @CrimpSec, @frack113, @jstnk9, @nasbench, @phantinuss, @qasimqlf, @slincoln-aiq, @swachchhanda000, @t-pol, @tr0mb1r, @xiangchen96 for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2024-01-15
New Rules
- new: Binary Proxy Execution Via Dotnet-Trace.EXE
- new: Forfiles.EXE Child Process Masquerading
- new: GCP Access Policy Deleted
- new: GCP Break-glass Container Workload Deployed
- new: Google Workspace Application Access Levels Modified
- new: HackTool - EDRSilencer Execution
- new: HackTool - NoFilter Execution
- new: PUA - PingCastle Execution
- new: PUA - PingCastle Execution From Potentially Suspicious Parent
- new: Peach Sandstorm APT Process Activity Indicators
- new: Potential Peach Sandstorm APT C2 Communication Activity
- new: Potential Persistence Via AppCompat RegisterAppRestart Layer
- new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- new: Renamed PingCastle Binary Execution
- new: System Control Panel Item Loaded From Uncommon Location
- new: System Information Discovery Using System_Profiler
- new: System Integrity Protection (SIP) Disabled
- new: System Integrity Protection (SIP) Enumeration
- new: Windows Filtering Platform Blocked Connection From EDR Agent Binary
Updated Rules
- update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
- update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
- update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
- update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
- update: Hacktool Named File Stream Created - Added new Imphash values for
EDRSandBlast
,EDRSilencer
andForensia
utilities. - update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
- update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
- update: Potential Persistence Via MyComputer Registry Keys - Remove
SOFTWARE
registry key anchor to increase coverage forWOW6432Node
cases - update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
- update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
- update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
- update: Remote PowerShell Session (PS Classic) - Reduce level to low
- update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
- update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
- update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
- update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
- update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs
Removed / Deprecated Rules
- remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.
Fixed Rules
- fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
- fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
- fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
- fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
- fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools
Acknowledgement
Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2023-12-21
New Rules
- new: Access To Potentially Sensitive Sysvol Files By Uncommon Application
- new: Access To Sysvol Policies Share By Uncommon Process
- new: Cloudflared Portable Execution
- new: Cloudflared Quick Tunnel Execution
- new: Cloudflared Tunnels Related DNS Requests
- new: Communication To Uncommon Destination Ports
- new: Compressed File Creation Via Tar.EXE
- new: Compressed File Extraction Via Tar.EXE
- new: DLL Names Used By SVR For GraphicalProton Backdoor
- new: Enable LM Hash Storage
- new: Enable LM Hash Storage - ProcCreation
- new: Potential Base64 Decoded From Images
- new: Potentially Suspicious Desktop Background Change Using Reg.EXE
- new: Potentially Suspicious Desktop Background Change Via Registry
- new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- new: Renamed Cloudflared.EXE Execution
- new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
- new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
- new: System Information Discovery Using Ioreg
- new: System Information Discovery Using sw_vers
- new: System Information Discovery Via Wmic.EXE
Updated Rules
- update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
- update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
- update: Account Created And Deleted By Non Approved Users - Add missing
expand
modifier - update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
- update: Authentication Occuring Outside Normal Business Hours - Add missing
expand
modifier - update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
- update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash
- update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
- update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
- update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
- update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
- update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
- update: Failed Code Integrity Checks - Reduce level to informational
- update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
- update: HH.EXE Execution - Reduce level to low
- update: Interactive Logon to Server Systems - Add missing
expand
modifier - update: Locked Workstation - Reduce level to informational
- update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
- update: Malware User Agent
- update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
- update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
- update: PUA - Nmap/Zenmap Execution - Reduce level to medium
- update: PUA - Process Hacker Execution - Reduce level to medium
- update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
- update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
- update: Potential Pass the Hash Activity - Add missing
expand
modifier - update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
- update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
- update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
- update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing
expand
modifier - update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
- update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
- update: PowerShell Execution With Potential Decryption Capabilities
- update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing
expand
modifier - update: Privilege Role Sign-In Outside Expected Controls - Add missing
expand
modifier - update: Privilege Role Sign-In Outside Of Normal Hours - Add missing
expand
modifier - update: Remote Registry Management Using Reg Utility - Add missing
expand
modifier - update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
- update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
- update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
- update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
- update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
- update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
- update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
- update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
- update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
- update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
- update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
- update: Whoami Utility Execution - Reduce level to low
- update: Whoami.EXE Execution With Output Option - Reduce level to medium
- update: Windows Defender Malware Detection History Deletion - Reduce level to informational
- update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
- update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
- update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
- update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific
Removed / Deprecated Rules
- remove: Credential Dumping Tools Service Execution
- remove: New Service Uses Double Ampersand in Path
- remove: PowerShell Scripts Run by a Services
- remove: Powershell File and Directory Discovery
- remove: Security Event Log Cleared
- remove: Suspicious Get-WmiObject
- remove: Windows Defender Threat Detection Disabled
Fixed Rules
- fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
- fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
- fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
- fix: Credential Manager Access By Uncommon Application - Enhance FP filters
- fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
- fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
- fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with
\pipe\
- fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
- fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
- fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
- fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
- fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
- fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
- fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
- fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
- fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
- fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage
- fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
- fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications
- fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process
- fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
- fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
- fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
- fix: Unusual Parent Process For Cm...
Release r2023-12-04
New Rules
- new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- new: Chromium Browser Instance Executed With Custom Extension
- new: Credential Dumping Activity By Python Based Tool
- new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- new: HackTool - Generic Process Access
- new: HackTool - WinPwn Execution
- new: HackTool - WinPwn Execution - ScriptBlock
- new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- new: Load Of RstrtMgr DLL From Suspicious Process
- new: Load Of RstrtMgr.DLL By An Uncommon Process
- new: New Netsh Helper DLL Registered From A Suspicious Location
- new: Potential CVE-2023-46214 Exploitation Attempt
- new: Potential Linux Process Code Injection Via DD Utility
- new: Potential Persistence Via Netsh Helper DLL - Registry
- new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- new: Suspicious Path In Keyboard Layout IME File Registry Value
- new: Uncommon Extension In Keyboard Layout IME File Registry Value
- new: Wusa.EXE Executed By Parent Process Located In Suspicious Location
Updated Rules
- update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
- update: Credential Dumping Attempt Via WerFault - Update title
- update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
- update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
- update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
- update: HackTool - CobaltStrike BOF Injection Pattern - Update title
- update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
- update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
- update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
- update: HackTool - winPEAS Execution - Add additional image names for winPEAS
- update: LSASS Access From Potentially White-Listed Processes - Update title and description
- update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
- update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
- update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
- update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
- update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
- update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
- update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
- update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
- update: Potential Process Hollowing Activity - Update FP filter
- update: Potential Shellcode Injection - Update title and enhance false positive filter
- update: Potentially Suspicious GrantedAccess Flags On LSASS -
- update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
- update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
- update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
- update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
- update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
- update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
- update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone
Removed / Deprecated Rules
- remove: Credential Dumping Tools Accessing LSASS Memory
Fixed Rules
- fix: File or Folder Permissions Modifications - FPs with partial paths
- fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
- fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
- fix: Potential NT API Stub Patching - Tune FP filter
- fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter
Acknowledgement
Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2023-11-20
New Rules
- new: Arbitrary File Download Via IMEWDBLD.EXE
- new: Arbitrary File Download Via MSEDGE_PROXY.EXE
- new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
- new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- new: CVE-2023-46747 Exploitation Activity - Proxy
- new: CVE-2023-46747 Exploitation Activity - Webserver
- new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
- new: EventLog Query Requests By Builtin Utilities
- new: F5 BIG-IP iControl Rest API Command Execution - Proxy
- new: F5 BIG-IP iControl Rest API Command Execution - Webserver
- new: Insenstive Subfolder Search Via Findstr.EXE
- new: Lace Tempest Cobalt Strike Download
- new: Lace Tempest File Indicators
- new: Lace Tempest Malware Loader Execution
- new: Lace Tempest PowerShell Evidence Eraser
- new: Lace Tempest PowerShell Launcher
- new: Msxsl.EXE Execution
- new: Network Connection Initiated To DevTunnels Domain
- new: Network Connection Initiated To Visual Studio Code Tunnels Domain
- new: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- new: Potential File Download Via MS-AppInstaller Protocol Handler
- new: Remote File Download Via Findstr.EXE
- new: Remote XSL Execution Via Msxsl.EXE
- new: Windows Defender Exclusion Deleted
- new: Windows Defender Exclusion List Modified
- new: Windows Defender Exclusion Reigstry Key - Write Access Requested
Updated Rules
- update: APT User Agent - adding user agent associated with PlugX backdoor.
- update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
- update: Arbitrary File Download Via MSOHTMED.EXE - Update title
- update: Arbitrary File Download Via PresentationHost.EXE - Update title
- update: Communication To Ngrok Domains - Additional ngrok domains
- update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.
- update: Disable Internal Tools or Feature in Registry - Increase coverage by adding 2 new values, namely
NoDispCPL
andNoDispBackground
- update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
- update: File Download And Execution Via IEExec.EXE - Update title and description
- update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
- update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
- update: File Download Via InstallUtil.EXE - Update title and description
- update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
- update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
- update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
- update: ISO Image Mounted - Update title and add new filter
- update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
- update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
- update: Office Application Startup - Office Test - Add missing
contains
modifier - update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Potential AD User Enumeration From Non-Machine Account - Apply additional filters to only look for Access Masks with "READ PROPERTY" values
- update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
- update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
- update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions.
- update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
- update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
- update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
- update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
- update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
- update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
- update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Suspicious Appended Extension - Enhance list of extension
- update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
- update: Suspicious Processes Spawned by Java.EXE - Enhance process coverage by adding new processes and removing unrelated ones
- update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
- update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
- update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enhance false positives filters
- update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match
- update: Webshell Detection With Command Line Keywords - Enhance process coverage by adding new processes and removing unrelated ones
- update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
- update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
- update: smbexec.py Service Installation - align with new smbexec release
Removed / Deprecated Rules
- remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
- remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
Fixed Rules
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments
- fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
- fix: Execute Code with Pester.bat - Fix a non escaped wildcard ?
- fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
- fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
- fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
- fix: Rundll32 Execution Without DLL File - remove command line restriction bc of numerous FPs
- fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
- fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
- fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
- fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
Acknowledgement
Thanks to @AaronS97, @alwashali, @celalettin-turgut, @CrimpSec, @deFr0ggy, @frack113, @fukusuket, @longmdx, @lsoumille, @mezzofix, @michaelpeacock, @mtnmunuklu, @nasbench, @Neo23x0, @netgrain, @phantinuss, @qasimqlf, @rkmbaxed, @swachchhanda000, @ThureinOo, @vj-codes, @YamatoSecurity for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2023-11-06
New Rules
- new: AWS S3 Bucket Versioning Disable
- new: DNS Query To Devtunnels And VsCode Tunnels
- new: Diamond Sleet APT DLL Sideloading Indicators
- new: Diamond Sleet APT DNS Communication Indicators
- new: Diamond Sleet APT File Creation Indicators
- new: Diamond Sleet APT Process Activity Indicators
- new: Diamond Sleet APT Scheduled Task Creation
- new: Diamond Sleet APT Scheduled Task Creation - Registry
- new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- new: Exploitation Indicators Of CVE-2023-20198
- new: New Okta User Created
- new: Okta 2023 Breach Indicator Of Compromise
- new: Okta Admin Functions Access Through Proxy
- new: Okta Password Health Report Query
- new: Onyx Sleet APT File Creation Indicators
- new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
- new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
- new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
- new: Renamed Visual Studio Code Tunnel Execution
- new: Renamed VsCode Code Tunnel Execution - File Indicator
- new: Security Tools Keyword Lookup Via Findstr.EXE
- new: Suspicious Unsigned Thor Scanner Execution
- new: Visual Studio Code Tunnel Execution
- new: Visual Studio Code Tunnel Remote File Creation
- new: Visual Studio Code Tunnel Service Installation
- new: Visual Studio Code Tunnel Shell Execution
- new: VsCode Code Tunnel Execution File Indicator
Updated Rules
- update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- update: Antivirus Relevant File Paths Alerts
- update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
- update: Delete Volume Shadow Copies Via WMI With PowerShell
- update: Dump Ntds.dit To Suspicious Location
- update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
- update: HackTool - CrackMapExec - Fix logic
- update: Linux HackTool Execution - Increase coverage by adding more tools
- update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
- update: MSI Installation From Suspicious Locations
- update: Malware User Agent - Increase UAs coverage
- update: Netcat The Powershell Version
- update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
- update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
- update: Okta New Admin Console Behaviours - Field notation
- update: Port Forwarding Activity Via SSH.EXE - Increase coverage
- update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title
- update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title
- update: Potential Okta Password in AlternateID Field - Field notation
- update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding
/q
switch - update: Potentially Suspicious Cabinet File Expansion - Increase coverage
- update: Potentially Suspicious Child Process Of VsCode
- update: PowerShell Called from an Executable Version Mismatch
- update: PowerShell Downgrade Attack - PowerShell
- update: PowerShell Profile Modification - Reduce rule level to medium
- update: Recon Command Output Piped To Findstr.EXE - Logic re-write
- update: Registry Persistence via Service in Safe Mode - Fix typo in title
- update: Remote PowerShell Session (PS Classic)
- update: Renamed Powershell Under Powershell Channel
- update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental
- update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
- update: Suspicious Non PowerShell WSMAN COM Provider
- update: Suspicious PowerShell Download
- update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
- update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
- update: Tamper Windows Defender - PSClassic
- update: Uncommon PowerShell Hosts
- update: Use Get-NetTCPConnection
- update: Weak or Abused Passwords In CLI - Increase coverage
- update: Zip A Folder With PowerShell For Staging In Temp - PowerShell
Fixed Rules
- fix: Creation of an Executable by an Executable
- fix: File or Folder Permissions Modifications
- fix: Import New Module Via PowerShell CommandLine
- fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource
- fix: Potential System DLL Sideloading From Non System Locations
- fix: Process Terminated Via Taskkill
- fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
- fix: Suspicious Sysmon as Execution Parent - Typo and restructure
- fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue
Acknowledgement
Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2023-10-23
New Rules
- new: BlueSky Ransomware Artefacts
- new: Certificate Use With No Strong Mapping
- new: DarkGate - Autoit3.EXE Execution Parameters
- new: DarkGate - Autoit3.EXE File Creation By Uncommon Process
- new: File Download From IP Based URL Via CertOC.EXE
- new: File Download From IP URL Via Curl.EXE
- new: HackTool - CoercedPotato Execution
- new: HackTool - CoercedPotato Named Pipe Creation
- new: LSASS Process Memory Dump Creation Via Taskmgr.EXE
- new: Lazarus APT DLL Sideloading Activity
- new: MSSQL Server Failed Logon
- new: MSSQL Server Failed Logon From External Network
- new: Mail Forwarding/Redirecting Activity In O365
- new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- new: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy
- new: Potential Information Discolosure CVE-2023-43261 Exploitation - Web
- new: PowerShell Script Execution Policy Enabled
- new: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
- new: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Updated Rules
- update: ADSI-Cache File Creation By Uncommon Tool
- update: Alternate PowerShell Hosts Pipe
- update: Arbitrary File Download Via GfxDownloadWrapper.EXE
- update: DarkGate - User Created Via Net.EXE
- update: File Download via CertOC.EXE
- update: Files With System Process Name In Unsuspected Locations
- update: PSScriptPolicyTest Creation By Uncommon Process
- update: Potential PowerShell Execution Policy Tampering
- update: Potential Webshell Creation On Static Website - Increase coverage with new extensions.
- update: Potentially Suspicious Office Document Executed From Trusted Location
- update: PowerShell Module File Created By Non-PowerShell Process
- update: PowerShell Profile Modification
- update: Remote Thread Creation By Uncommon Source Image
- update: Remote Thread Creation In Uncommon Target Image
- update: Renamed CURL.EXE Execution - Extended filter
- update: Suspicious File Download From IP Via Curl.EXE
- update: Suspicious LNK Double Extension File Created
Fixed Rules
- fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
- fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
- fix: Control Panel Items - FP with command line observed from taskhost.exe
- fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
- fix: Direct Syscall of NtOpenProcess - falsepositives meta data
- fix: Execution of Suspicious File Type Extension - FP with OpenOffice
- fix: Google Workspace Application Removed - Update logsource product field to
gcp
- fix: Google Workspace Granted Domain API Access - Update logsource product field to
gcp
- fix: Google Workspace MFA Disabled - Update logsource product field to
gcp
- fix: Google Workspace Role Modified or Deleted - Update logsource product field to
gcp
- fix: Google Workspace Role Privilege Deleted - Update logsource product field to
gcp
- fix: Google Workspace User Granted Admin Privileges - Update logsource product field to
gcp
- fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
- fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
- fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
- fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
- fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
- fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
- fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
- fix: Suspicious Elevated System Shell - FP with Avira update utility
- fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
- fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
- fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception
- fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception
Acknowledgement
Thanks to @frack113, @netgrain, @cyb3rjy0t, @greg-workspace, @mbabinski, @nasbench, @Neo23x0, @phantinuss, @swachchhanda000, @ThureinOo, @br4dy5 for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Release r2023-10-09
New Rules
- new: ADS Zone.Identifier Deleted
- new: ADS Zone.Identifier Deleted By Uncommon Application
- new: AWS Identity Center Identity Provider Change
- new: Access To .Reg/.Hive Files By Uncommon Application
- new: Activity From Anonymous IP Address
- new: AddinUtil.EXE Execution From Uncommon Directory
- new: Anomalous User Activity
- new: Application Terminated Via Wmic.EXE
- new: Atypical Travel
- new: Azure AD Account Credential Leaked
- new: Azure AD Threat Intelligence
- new: Browser Execution In Headless Mode
- new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- new: CVE-2023-40477 Potential Exploitation - .REV File Creation
- new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
- new: Chromium Browser Headless Execution To Mockbin Like Site
- new: DMP/HDMP File Creation
- new: DarkGate User Created Via Net.EXE
- new: Disabling Multi Factor Authenication
- new: Diskshadow Child Process Spawned
- new: Diskshadow Script Mode - Execution From Potential Suspicious Location
- new: Diskshadow Script Mode - Uncommon Script Extension Execution
- new: ESXi Account Creation Via ESXCLI
- new: ESXi Admin Permission Assigned To Account Via ESXCLI
- new: ESXi Network Configuration Discovery Via ESXCLI
- new: ESXi Storage Information Discovery Via ESXCLI
- new: ESXi Syslog Configuration Change Via ESXCLI
- new: ESXi System Information Discovery Via ESXCLI
- new: ESXi VM Kill Via ESXCLI
- new: ESXi VM List Discovery Via ESXCLI
- new: ESXi VSAN Information Discovery Via ESXCLI
- new: Hypervisor Enforced Code Integrity Disabled
- new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- new: Impossible Travel
- new: Invalid PIM License
- new: LOL-Binary Copied From System Directory
- new: LSASS Dump Keyword In CommandLine
- new: Malicious Driver Load
- new: Malicious Driver Load By Name
- new: Malicious IP Address Sign-In Failure Rate
- new: Malicious IP Address Sign-In Suspicious
- new: Network Connection Initiated By AddinUtil.EXE
- new: New Country
- new: New Federated Domain Added
- new: Okta Identity Provider Created
- new: Okta New Admin Console Behaviours
- new: Okta Suspicious Activity Reported by End-user
- new: Okta User Session Start Via An Anonymising Proxy Service
- new: Old TLS1.0/TLS1.1 Protocol Version Enabled
- new: Password Spray Activity
- new: Potentially Suspicious Child Process Of DiskShadow.EXE
- new: Potentially Suspicious Child Process Of WinRAR.EXE
- new: Potentially Suspicious DMP/HDMP File Creation
- new: Potentially Suspicious Electron Application CommandLine
- new: Primary Refresh Token Access Attempt
- new: Remote Access Tool - ScreenConnect Command Execution
- new: Remote Access Tool - ScreenConnect File Transfer
- new: Remote Access Tool - ScreenConnect Remote Command Execution
- new: Remote Access Tool - ScreenConnect Temporary File
- new: Remote DLL Load Via Rundll32.EXE
- new: Renamed CURL.EXE Execution
- new: Roles Activated Too Frequently
- new: Roles Activation Doesn't Require MFA
- new: Roles Are Not Being Used
- new: Roles Assigned Outside PIM
- new: SAML Token Issuer Anomaly
- new: Sign-In From Malware Infected IP
- new: Stale Accounts In A Privileged Role
- new: Suspicious AddinUtil.EXE CommandLine Execution
- new: Suspicious Browser Activity
- new: Suspicious Inbox Forwarding Identity Protection
- new: Suspicious Inbox Manipulation Rules
- new: Too Many Global Admins
- new: Uncommon AddinUtil.EXE CommandLine Execution
- new: Uncommon Child Process Of AddinUtil.EXE
- new: Unfamiliar Sign-In Properties
- new: VMMap Signed Dbghelp.DLL Potential Sideloading
- new: Vulnerable Driver Load
- new: Vulnerable Driver Load By Name
Updated Rules
- update: 7Zip Compressing Dump Files - Increase coverage
- update: 7Zip Compressing Dump Files - Reduce level
- update: Access To Browser Credential Files By Uncommon Application
- update: Access To Windows Credential History File By Uncommon Application
- update: Access To Windows DPAPI Master Keys By Uncommon Application
- update: Added some bypass methods used by SQLI Injectors.
- update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to
medium
- update: COM Hijack via Sdclt - Fix Logic
- update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
- update: Creation of an Executable by an Executable - Fix FP
- update: Credential Manager Access By Uncommon Application
- update: DLL Load By System Process From Suspicious Locations - Reduce level to
medium
- update: DNS Query Request By Regsvr32.EXE - Reduce level to
medium
- update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to
medium
- update: DNS Query To MEGA Hosting Website - Reduce level to
low
and update metadata - update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
- update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to
low
- update: DNS Query To Ufile.io - Update title and reduce level to
low
- update: DNS Query Tor .Onion Address - Sysmon - Update title
- update: DNS Server Discovery Via LDAP Query - Reduce level to
low
and update FP filters - update: Detects path traversal exploitation attempts - Increase coverage
- update: Detects sql injection exploitation attempts - Increase coverage
- update: Diskshadow Script Mode Execution
- update: DriverQuery.EXE Execution - Increase coverage
- update: File Download From Browser Process Via Inline Link
- update: Fsutil Suspicious Invocation - add "setZeroData" coverage
- update: Greedy File Deletion Using Del - Increase coverage
- update: LOLBIN Execution From Abnormal Drive
- update: LSASS Memory Dump File Creation - Deprecated
- update: LSASS Process Memory Dump Files - Add
PPLBlade
default dump file indicator - update: Leviathan Registry Key Activity - Fix logic
- update: Linux Network Service Scanning - Auditd - Update coverage to add
ncat
andnc.openbsd
- update: Network Connection Initiated By Regsvr32.EXE - Reduce level to
medium
and metadata update - update: New Federated Domain Added - Exchange
- update: New Firewall Rule Added In Windows Firewall Exception List - update logic
- update: Non Interactive PowerShell Process Spawned - Increase coverage
- update: Ntdsutil Abuse - Update ATT&CK tags
- update: OceanLotus Registry Activity - Fix Logic
- update: Office Application Startup - Office Test - Fix Logic
- update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
- update: Potential Browser Data Stealing - Increase coverage with more browsers
- update: Potential Dead Drop Resolvers - Increase coverage with new domains
- update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
- update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
- update: Potential Process Hollowing Activity - Update FP filters
- update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
- update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to
medium
- update: Potentially Suspicious Compression Tool Parameters
- update: Potentially Suspicious Event Viewer Child Process - Update metadata
- update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
- update: PowerShell Initiated Network Connection - Update description
- update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
- update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to
medium
- update: Python Image Load By Non-Python Process - Update description and title
- update: Python Initiated Connection - Update FP filter
- update: Qakbot Uninstaller Execution - add new hashes
- update: Remote Thread Creation By Uncommon Source Image - Update FP filter
- update: Renamed AutoIt Execution - Increase coverage
- update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
- update: Suspicious Child Process Of Manage Engine ServiceDesk
- update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
- update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
- update: Suspicious Electron Application Child Processes - Increase coverage
- update: Suspicious Scripting in a WMI Consumer - update logic
- update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
- update: Sysinternals Tools AppX Versions Execution - Reduce level to
low
- update: Sysmon Blocked Executable - Update logsource
- update: UAC Bypass via Event Viewer - Fix Logic
- update: UNC2452 Process Creation Patterns - Fix logic
- update: Usage Of Malicious POORTRY Signed Driver - Deprecated
- update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
- update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
- update: Vulnerable Dell BIOS Update Driver Load - Deprecated
- update: Vulnerable Driver Load By Name - Deprecated
- update: Vulnerable GIGABYTE Driver Load - Deprecated
- update: Vulnerable HW Driver Load - Deprecated
- update: Vulnerable Lenovo Driver Load - Deprecated
- update: WebDav Client Execution Via Rundll32.EXE
- update: Windows Update Error - Reduce level to
informational
and status tostable
- update: Winrar Compressing Dump Files - Increase Coverage
- update: Winrar Execution in Non-Standard Folder
- update: Wscript Execution from Non C Drive - ...
Sigmatools 0.21
Added
- Azure Sentinel backend
- OpenSearch Monitor backend
- Hawk backend
- Datadog backend
- FortiSIEM backend
- Lacework agent data support
- Athena SQL backend
- Regex support in SQLite backend
- Additional field mappings
Changed
- Log source refactoring
Fixed
- Mapping fixes
- Various bugfixes
- Disabled problematic optimization
sigmatools 0.20
Added
- Devo backend
- Fields selection added to SQL backend
- Linux/MacOS support for MDATP backend
- Output results as generic YAML/JSON
- Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
- ALA AWS Cloudtrail and Azure mappings
- Logrhytm backend
- Splunk Data Models backend
- Further log sources used in open source Sigma ruleset
- CarbonBlack EDR backend
- Elastic EQL backend
- Additional conversion selection filters
- Filter negation
- Specifiy table in SQL backend
- Generic registry event log source
- Chronicle backend
Changed
- Elastic Watcher backend populates name attribute instead of title.
- One item list optimization.
- Updated Winlogbeat mapping
- Generic mapping for Powershell backend
Fixed
- Elastalert multi output file
- Fixed duplicate output in ElastAlert backend
- Escaping in Graylog backend
- es-rule ndjson output
- Various fixes of known bugs