Release r2024-05-13

New Rules

• new: Access To Windows Outlook Mail Files By Uncommon Application
• new: All Backups Deleted Via Wbadmin.EXE
• new: File Recovery From Backup Via Wbadmin.EXE
• new: Launch Agent/Daemon Execution Via Launchctl
• new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
• new: New RDP Connection Initiated From Domain Controller
• new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
• new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
• new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
• new: Potentially Suspicious Child Process Of KeyScrambler.exe
• new: Potentially Suspicious Malware Callback Communication - Linux
• new: Sensitive File Dump Via Wbadmin.EXE
• new: Sensitive File Recovery From Backup Via Wbadmin.EXE
• new: Suspicious External WebDAV Execution
• new: UAC Notification Disabled
• new: UAC Secure Desktop Prompt Disabled

Updated Rules

• update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
• update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
• update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
• update: UAC Disabled - update metadata
• update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
• update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
• update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

Removed / Deprecated Rules

• remove: Search-ms and WebDAV Suspicious Indicators in URL

Fixed Rules

• fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier

Acknowledgement

Thanks to @ahmedfarou22, @frack113, @hasselj, @joshnck, @nasbench, @pratinavchandra, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-04-29

New Rules

• new: Cisco Duo Successful MFA Authentication Via Bypass Code
• new: Forest Blizzard APT - Custom Protocol Handler Creation
• new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
• new: Forest Blizzard APT - File Creation Activity
• new: Forest Blizzard APT - JavaScript Constrained File Creation
• new: Forest Blizzard APT - Process Creation Activity
• new: Network Connection Initiated By RegAsm.EXE
• new: Outbound Network Connection Initiated By Microsoft Dialer
• new: PUA - SoftPerfect Netscan Execution
• new: Pnscan Binary Data Transmission Activity
• new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
• new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
• new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
• new: Potential KeyScrambler.exe DLL Side-loading
• new: Python Path Configuration File Creation - Linux
• new: Python Path Configuration File Creation - Macos
• new: Python Path Configuration File Creation - Windows

Updated Rules

• update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
• update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
• update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
• update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
• update: COM Object Execution via Xwizard.EXE - Update logic
• update: Gatekeeper Bypass via Xattr - Update command line flag
• update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
• update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
• update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
• update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI
• update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI
• update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI
• update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard
• update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI
• update: JScript Compiler Execution - Update metadata
• update: Linux Command History Tampering - Increase coverage to include other history files
• update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
• update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
• update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
• update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
• update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
• update: Suspicious Volume Shadow Copy VSS_PS.dll Load - regularly loaded by wsmprovhost.exe
• update: Windows Kernel Debugger Execution - Reduce level to "medium"
• update: Xwizard.EXE Execution From Non-Default Location - Update description

Fixed Rules

• fix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out "chrome" and "firefox" processes.
• fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
• fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
• fix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal
• fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
• fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
• fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
• fix: Windows Binaries Write Suspicious Extensions - fix selection

Acknowledgement

Thanks to @CertainlyP, @dan21san, @frack113, @fukusuket, @jamesc-grafana, @nasbench, @Neo23x0, @netgrain, @nikitah4x, @phantinuss, @PiRomant, @pratinavchandra, @ruppde, @signalblur, @swachchhanda000, @TheLawsOfChaos, @thomaspatzke, @X-Junior, @ya0guang for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-03-26

New Rules

• new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
• new: Certificate-Based Authentication Enabled
• new: Container With A hostPath Mount Created
• new: Creation Of Pod In System Namespace
• new: Deployment Deleted From Kubernetes Cluster
• new: Kubernetes Events Deleted
• new: Kubernetes Secrets Enumeration
• new: MaxMpxCt Registry Value Changed
• new: New Kubernetes Service Account Created
• new: New Root Certificate Authority Added
• new: Potential KamiKakaBot Activity - Lure Document Execution
• new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
• new: Potential KamiKakaBot Activity - Winlogon Shell Persistence
• new: Potential Remote Command Execution In Pod Container
• new: Potential Sidecar Injection Into Running Deployment
• new: Privileged Container Deployed
• new: RBAC Permission Enumeration Attempt
• new: Remote Access Tool - Team Viewer Session Started On Linux Host
• new: Remote Access Tool - Team Viewer Session Started On MacOS Host
• new: Remote Access Tool - Team Viewer Session Started On Windows Host
• new: Service Binary in User Controlled Folder

Updated Rules

• update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
• update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
• update: Capture Credentials with Rpcping.exe - Update rule to use the windash modifier
• update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
• update: Changing Existing Service ImagePath Value Via Reg.EXE - Update rule to use the windash modifier
• update: Communication To Uncommon Destination Ports - Add link-local address range
• update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
• update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
• update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
• update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
• update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
• update: Diskshadow Script Mode Execution - Update rule to use the windash modifier
• update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
• update: DllUnregisterServer Function Call Via Msiexec.EXE - Update rule to use the windash modifier
• update: Exports Critical Registry Keys To a File - Update rule to use the windash modifier
• update: Exports Registry Key To a File - Update rule to use the windash modifier
• update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
• update: IIS Native-Code Module Command Line Installation - Update rule to use the windash modifier
• update: Imports Registry Key From a File - Update rule to use the windash modifier
• update: Imports Registry Key From an ADS - Update rule to use the windash modifier
• update: Kernel Memory Dump Via LiveKD - Update rule to use the windash modifier
• update: Loaded Module Enumeration Via Tasklist.EXE - Update rule to use the windash modifier
• update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
• update: Msiexec Quiet Installation - Update rule to use the windash modifier
• update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
• update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
• update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
• update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
• update: Potential Arbitrary Command Execution Using Msdt.EXE - Update rule to use the windash modifier
• update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
• update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
• update: Potential Execution of Sysinternals Tools - Update rule to use the windash modifier
• update: Potential LSASS Process Dump Via Procdump - Update rule to use the windash modifier
• update: Potential Regsvr32 Commandline Flag Anomaly - Update rule to use the windash modifier
• update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
• update: Potentially Suspicious Malware Callback Communication - Add link-local address range
• update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
• update: Publicly Accessible RDP Service - Add link-local address range
• update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
• update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
• update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
• update: Replace.exe Usage - Update rule to use the windash modifier
• update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
• update: Rundll32 Internet Connection - Add link-local address range
• update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
• update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
• update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
• update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
• update: Suspicious Cabinet File Execution Via Msdt.EXE - Update rule to use the windash modifier
• update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic
• update: Suspicious DNS Query for IP Lookup Service APIs - Add new domains
• update: Suspicious DNS Query for IP Lookup Service APIs - Fix ip.cn
• update: Suspicious Msiexec Execute Arbitrary DLL - Update rule to use the windash modifier
• update: Suspicious Msiexec Quiet Install From Remote Location - Update rule to use the windash modifier
• update: Suspicious Network Connection to IP Lookup Service APIs - Add new domains
• update: Suspicious Network Connection to IP Lookup Service APIs - Fix ip.cn
• update: Suspicious Response File Execution Via Odbcconf.EXE - Update rule to use the windash modifier
• update: Sysmon Configuration Update - Update rule to use the windash modifier
• update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
• update: Uncommon Outbound Kerberos Connection - Security - Update filter to include device type paths and reduce the level to "medium"
• update: Uncommon Outbound Kerberos Connection - Update filters to include tomcat and reduce the level to "medium"
• update: Uninstall Sysinternals Sysmon - Update rule to use the windash modifier
• update: WebDav Put Request - Update rule to use cidr modifier
• update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values

Removed / Deprecated Rules

• remove: Adwind RAT / JRAT - Registry
• remove: Service Binary in Uncommon Folder

Fixed Rules

• fix: EVTX Created In Uncommon Location - Reduce level and remove filters
• fix: Files With System Process Name In Unsuspected Locations - Add additional paths
• fix: Microsoft VBA For Outlook Addin Loaded Via Outlook - Fix incorrect use of "modifier"
• fix: New RUN Key Pointing to Suspicious Folder
• fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs

Acknowledgement

Thanks to @cyb3rjy0t, @frack113, @joshnck, @LAripping , @nasbench, @phantinuss, @security-companion, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-03-11

New Rules

• new: Active Directory Certificate Services Denied Certificate Enrollment Request
• new: CrackMapExec File Indicators
• new: Github Push Protection Bypass Detected
• new: Github Push Protection Disabled
• new: Github Secret Scanning Feature Disabled
• new: No Suitable Encryption Key Found For Generating Kerberos Ticket
• new: OpenCanary - FTP Login Attempt
• new: OpenCanary - GIT Clone Request
• new: OpenCanary - HTTP GET Request
• new: OpenCanary - HTTP POST Login Attempt
• new: OpenCanary - HTTPPROXY Login Attempt
• new: OpenCanary - MSSQL Login Attempt Via SQLAuth
• new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
• new: OpenCanary - MySQL Login Attempt
• new: OpenCanary - NTP Monlist Request
• new: OpenCanary - REDIS Action Command Attempt
• new: OpenCanary - SIP Request
• new: OpenCanary - SMB File Open Request
• new: OpenCanary - SNMP OID Request
• new: OpenCanary - SSH Login Attempt
• new: OpenCanary - SSH New Connection Attempt
• new: OpenCanary - TFTP Request
• new: OpenCanary - Telnet Login Attempt
• new: OpenCanary - VNC Connection Attempt
• new: Potential Raspberry Robin CPL Execution Activity
• new: Potential SentinelOne Shell Context Menu Scan Command Tampering
• new: Renamed NirCmd.EXE Execution
• new: Shell Context Menu Command Tampering

Updated Rules

• update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
• update: Potential PowerShell Execution Via DLL - Add regsvr32 to increase coverage.
• update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Add more potential child process seen in the wild
• update: Unsigned DLL Loaded by Windows Utility - Add InstallUtil, RegAsm and RegSvcs as additional process and add additional "null" and "empty" filters to cover for non available fields.
• update: Wlrmdr.EXE Uncommon Argument Or Child Process - Update metadata, add new filters and use the windash modifier.

Removed / Deprecated Rules

• remove: CrackMapExec File Creation Patterns
• remove: Suspicious Epmap Connection

Fixed Rules

• fix: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Add multiple new FP filters seen in the wild
• fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
• fix: Potential System DLL Sideloading From Non System Locations - Add multiple new FP filters seen in the wild
• fix: Remote Thread Creation In Uncommon Target Image - add optional filter for the Xerox Print Job Event Manager Service calling spoolsrv
• fix: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Add more builtin ATs to the list

Acknowledgement

Thanks to @benmontour, @CrimpSec, @defensivedepth, @faisalusuf, @frack113, @nasbench, @qasimqlf, @secDre4mer, @snajafov, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-02-26

New Rules

• new: AWS Console GetSigninToken Potential Abuse
• new: Bitbucket Audit Log Configuration Updated
• new: Bitbucket Full Data Export Triggered
• new: Bitbucket Global Permission Changed
• new: Bitbucket Global SSH Settings Changed
• new: Bitbucket Global Secret Scanning Rule Deleted
• new: Bitbucket Project Secret Scanning Allowlist Added
• new: Bitbucket Secret Scanning Exempt Repository Added
• new: Bitbucket Secret Scanning Rule Deleted
• new: Bitbucket Unauthorized Access To A Resource
• new: Bitbucket Unauthorized Full Data Export Triggered
• new: Bitbucket User Details Export Attempt Detected
• new: Bitbucket User Login Failure
• new: Bitbucket User Login Failure Via SSH
• new: Bitbucket User Permissions Export Attempt
• new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
• new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
• new: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
• new: DNS Query Request To OneLaunch Update Service
• new: DPRK Threat Actor - C2 Communication DNS Indicators
• new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
• new: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
• new: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
• new: Remote Access Tool - ScreenConnect Remote Execution
• new: Remote Access Tool - ScreenConnect Server Web Shell Execution
• new: Remote Access Tool - Simple Help Execution
• new: ScreenConnect - SlashAndGrab Exploitation Indicators
• new: ScreenConnect User Database Modification
• new: ScreenConnect User Database Modification - Security
• new: Suspicious File Download From IP Via Wget.EXE - Paths
• new: User Added To Highly Privileged Group

Updated Rules

• update: APT User Agent - Add UA used by RedCurl APT
• update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
• update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
• update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
• update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
• update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
• update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass
• update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
• update: Remote Access Tool - ScreenConnect Installation Execution - Reduce level to medium
• update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Update logic and reduce the level to medium
• update: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting - Move the rule to Hunting
• update: Remote Access Tool - ScreenConnect Remote Command Execution - Reduce level to low
• update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
• update: Suspicious PowerShell IEX Execution Patterns - Enhance coverage by adding new "IEX" variant
• update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
• update: Weak or Abused Passwords In CLI - Add additional password seen abused in the wild

Removed / Deprecated Rules

• remove: CobaltStrike Malformed UAs in Malleable Profiles
• remove: CobaltStrike Malleable (OCSP) Profile
• remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
• remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
• remove: Rundll32 JS RunHTMLApplication Pattern
• remove: Suspicious Rundll32 Script in CommandLine
• remove: iOS Implant URL Pattern

Acknowledgement

Thanks to @clebron23, @faisalusuf, @frack113, @joshnck, @MalGamy, @MATTANDERS0N, @nasbench, @qasimqlf, @RG9n for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-02-12

New Rules

• new: Exploitation Indicator Of CVE-2022-42475
• new: Interesting Service Enumeration Via Sc.EXE
• new: Loaded Module Enumeration Via Tasklist.EXE
• new: New Self Extracting Package Created Via IExpress.EXE
• new: Potentially Suspicious Self Extraction Directive File Created
• new: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
• new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
• new: Self Extraction Directive File Created In Potentially Suspicious Location
• new: System Disk And Volume Reconnaissance Via Wmic.EXE

Updated Rules

• update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
• update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
• update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
• update: HH.EXE Initiated HTTP Network Connection - Update list of ports
• update: Hacktool Execution - Imphash - Add EventLogCrasher imphash
• update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
• update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
• update: Network Connection Initiated To Mega.nz - Update domains
• update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
• update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
• update: Potential Dead Drop Resolvers - Add abuse.ch
• update: Potential Dead Drop Resolvers - Update domains and filters
• update: RDP Sensitive Settings Changed - Add DisableRemoteDesktopAntiAlias and DisableSecuritySettings as seen used by DarkGate malware
• update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
• update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL
• update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
• update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
• update: Suspicious File Download From File Sharing Websites - Add additional domains
• update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
• update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
• update: Suspicious Remote AppX Package Locations - Add additional domains
• update: Unusual File Download From File Sharing Websites - Add additional domains

Removed / Deprecated Rules

• remove: Suspicious Non-Browser Network Communication With Reddit API

Fixed Rules

• fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
• fix: HackTool - EDRSilencer Execution - Filter Added - Fix error in logsource
• fix: Outbound RDP Connections Over Non-Standard Tools - Add missing field name
• fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
• fix: Potential Dropper Script Execution Via WScript/CScript - Fix error in rule status
• fix: Potential Fake Instance Of Hxtsr.EXE Executed - Use Image field in filter
• fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
• fix: SC.EXE Query Execution - Add keybase filter
• fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers

Acknowledgement

Thanks to @douglasrose75, @frack113, @jstnk9, @nasbench, @Neo23x0, @omaramin17, @phantinuss, @prashanthpulisetti, @qasimqlf, @slincoln-aiq, @swachchhanda000, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-01-29

New Rules

• new: CodePage Modification Via MODE.COM
• new: CodePage Modification Via MODE.COM To Russian Language
• new: HackTool - EDRSilencer Execution - Filter Added
• new: HackTool - SharpMove Tool Execution
• new: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
• new: Rare Remote Thread Creation By Uncommon Source Image - A split of 66d31e5f-52d6-40a4-9615-002d3789a119
• new: Unsigned DLL Loaded by RunDLL32/RegSvr32

Updated Rules

• update: All Rules Have Been Deleted From The Windows Firewall Configuration - Remove program files filter to increase coverage. As deleting rules shouldn't be a "normal" behavior.
• update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
• update: CreateRemoteThread API and LoadLibrary - Reduce level to medium and convert to a TH rule
• update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
• update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
• update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
• update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
• update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
• update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
• update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
• update: Network Communication With Crypto Mining Pool - new domains from miningocean.org
• update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add additional paths to increase coverage
• update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
• update: New or Renamed User Account with '$' Character - Reduced level to "medium"
• update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
• update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
• update: Potential Pikabot C2 Activity - Added "searchfilterhost.exe"
• update: Potential Pikabot Discovery Activity - Added "SearchProtocolHost.exe" and "SearchFilterHost.exe"
• update: Potential Pikabot Hollowing Activity - Added "searchfilterhost"
• update: Powershell Install a DLL in System Directory - enhance rule context in big script blocks
• update: Prefetch File Deleted - Update selection to remove 'C:' prefix
• update: Remote Thread Creation By Uncommon Source Image - Reduced level to medium and move high indicators to 02d1d718-dd13-41af-989d-ea85c7fab93f
• update: Rundll32 Execution With Uncommon DLL Extension - Enhanced FP filters
• update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
• update: Shell Process Spawned by Java.EXE - Add "bash.exe"
• update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
• update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
• update: Sysmon Application Crashed - Add 32bit version of sysmon binary
• update: Tap Driver Installation - Security - Reduce level to "low"
• update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it

Removed / Deprecated Rules

• remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
• remove: SAM Dump to AppData

Fixed Rules

• fix: CobaltStrike Named Pipe Patterns - Add Websense named pipe filter
• fix: EventLog Query Requests By Builtin Utilities - Typo in wmic process name
• fix: Firewall Rule Modified In The Windows Firewall Exception List - new optional filter Brave browser
• fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
• fix: Metasploit SMB Authentication - Remove unnecessary field
• fix: Outbound RDP Connections Over Non-Standard Tools - new FP filter for RAS TSplus
• fix: PowerShell Core DLL Loaded By Non PowerShell Process - new optional filter for chocolatey
• fix: Remote Thread Creation In Mstsc.Exe From Suspicious Location - Fix a broken path string
• fix: Remote Thread Creation In Uncommon Target Image - Reduce level to medium and remove explorer as target due to FP rates.
• fix: Service Installation in Suspicious Folder - Update FP filter
• fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Fix the filters to be more generic

Acknowledgement

Thanks to @CrimpSec, @frack113, @jstnk9, @nasbench, @phantinuss, @qasimqlf, @slincoln-aiq, @swachchhanda000, @t-pol, @tr0mb1r, @xiangchen96 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-01-15

New Rules

• new: Binary Proxy Execution Via Dotnet-Trace.EXE
• new: Forfiles.EXE Child Process Masquerading
• new: GCP Access Policy Deleted
• new: GCP Break-glass Container Workload Deployed
• new: Google Workspace Application Access Levels Modified
• new: HackTool - EDRSilencer Execution
• new: HackTool - NoFilter Execution
• new: PUA - PingCastle Execution
• new: PUA - PingCastle Execution From Potentially Suspicious Parent
• new: Peach Sandstorm APT Process Activity Indicators
• new: Potential Peach Sandstorm APT C2 Communication Activity
• new: Potential Persistence Via AppCompat RegisterAppRestart Layer
• new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
• new: Renamed PingCastle Binary Execution
• new: System Control Panel Item Loaded From Uncommon Location
• new: System Information Discovery Using System_Profiler
• new: System Integrity Protection (SIP) Disabled
• new: System Integrity Protection (SIP) Enumeration
• new: Windows Filtering Platform Blocked Connection From EDR Agent Binary

Updated Rules

• update: Creation Of Non-Existent System DLL - Remove driver anchor and the System32 filter. The reason behind this is that an attacker can copy the file elsewhere and then use a system utility such as copy or xcopy located in the system32 folder to create it again. Which will bypass the rule.
• update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
• update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information
• update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
• update: Hacktool Named File Stream Created - Added new Imphash values for EDRSandBlast, EDRSilencer and Forensia utilities.
• update: Hypervisor Enforced Code Integrity Disabled - Add additional path for the HVCI config
• update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add SignatureStatus in the filter to exclude only valid signatures and decrease bypass.
• update: Potential Persistence Via MyComputer Registry Keys - Remove SOFTWARE registry key anchor to increase coverage for WOW6432Node cases
• update: Potential System DLL Sideloading From Non System Locations - Add iernonce.dll
• update: Potential System DLL Sideloading From Non System Locations - Remove the driver anchor from the filter to catch cases where the system is installed on non default C: driver
• update: Powershell Defender Disable Scan Feature - Add additional PowerShell MpPreference Cmdlets
• update: Remote PowerShell Session (PS Classic) - Reduce level to low
• update: Screen Capture Activity Via Psr.EXE - Add -start commandline variation
• update: System Information Discovery Using Ioreg - enhanced coverage with additional flags and cli options
• update: Tamper Windows Defender - PSClassic - Add additional PowerShell MpPreference Cmdlets
• update: Tamper Windows Defender - ScriptBlockLogging - Add additional PowerShell MpPreference Cmdlets
• update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Add additional commandline flag that might trigger FPs

Removed / Deprecated Rules

• remove: Svchost DLL Search Order Hijack - Deprecated in favor of the rule 6b98b92b-4f00-4f62-b4fe-4d1920215771. The reason is that for legit cases where the DLL is still present we can't filter out anything. We assume that the loading is done by a non valid/signed DLLs which will catch most cases. In cas the attacker had the option to sign the DLL with a valid signature he can bypass the rule.

Fixed Rules

• fix: Enable LM Hash Storage - ProcCreation - Removed trailing slash from registry path
• fix: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Fix typo in WMIC image name
• fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection
• fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection
• fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools

Acknowledgement

Thanks to @ahouspan, @bohops, @danielgottt, @frack113, @joshnck, @jstnk9, @meiliumeiliu, @MrSeccubus, @nasbench, @Neo23x0, @phantinuss, @qasimqlf, @slincoln-aiq, @st0pp3r, @tr0mb1r, @Tuutaans, @X-Junior, @zestsg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2023-12-21

New Rules

• new: Access To Potentially Sensitive Sysvol Files By Uncommon Application
• new: Access To Sysvol Policies Share By Uncommon Process
• new: Cloudflared Portable Execution
• new: Cloudflared Quick Tunnel Execution
• new: Cloudflared Tunnels Related DNS Requests
• new: Communication To Uncommon Destination Ports
• new: Compressed File Creation Via Tar.EXE
• new: Compressed File Extraction Via Tar.EXE
• new: DLL Names Used By SVR For GraphicalProton Backdoor
• new: Enable LM Hash Storage
• new: Enable LM Hash Storage - ProcCreation
• new: Potential Base64 Decoded From Images
• new: Potentially Suspicious Desktop Background Change Using Reg.EXE
• new: Potentially Suspicious Desktop Background Change Via Registry
• new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
• new: Renamed Cloudflared.EXE Execution
• new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
• new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
• new: System Information Discovery Using Ioreg
• new: System Information Discovery Using sw_vers
• new: System Information Discovery Via Wmic.EXE

Updated Rules

• update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
• update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
• update: Account Created And Deleted By Non Approved Users - Add missing expand modifier
• update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
• update: Authentication Occuring Outside Normal Business Hours - Add missing expand modifier
• update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
• update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash
• update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
• update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
• update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
• update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
• update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
• update: Failed Code Integrity Checks - Reduce level to informational
• update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
• update: HH.EXE Execution - Reduce level to low
• update: Interactive Logon to Server Systems - Add missing expand modifier
• update: Locked Workstation - Reduce level to informational
• update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
• update: Malware User Agent
• update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
• update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
• update: PUA - Nmap/Zenmap Execution - Reduce level to medium
• update: PUA - Process Hacker Execution - Reduce level to medium
• update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
• update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
• update: Potential Pass the Hash Activity - Add missing expand modifier
• update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
• update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
• update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
• update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing expand modifier
• update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
• update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
• update: PowerShell Execution With Potential Decryption Capabilities
• update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing expand modifier
• update: Privilege Role Sign-In Outside Expected Controls - Add missing expand modifier
• update: Privilege Role Sign-In Outside Of Normal Hours - Add missing expand modifier
• update: Remote Registry Management Using Reg Utility - Add missing expand modifier
• update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
• update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
• update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
• update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
• update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
• update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
• update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
• update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
• update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
• update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
• update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
• update: Whoami Utility Execution - Reduce level to low
• update: Whoami.EXE Execution With Output Option - Reduce level to medium
• update: Windows Defender Malware Detection History Deletion - Reduce level to informational
• update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
• update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
• update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
• update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

Removed / Deprecated Rules

• remove: Credential Dumping Tools Service Execution
• remove: New Service Uses Double Ampersand in Path
• remove: PowerShell Scripts Run by a Services
• remove: Powershell File and Directory Discovery
• remove: Security Event Log Cleared
• remove: Suspicious Get-WmiObject
• remove: Windows Defender Threat Detection Disabled

Fixed Rules

• fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
• fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
• fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
• fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
• fix: Credential Manager Access By Uncommon Application - Enhance FP filters
• fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
• fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
• fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with \pipe\
• fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
• fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
• fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
• fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
• fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
• fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
• fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
• fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
• fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
• fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage
• fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
• fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications
• fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process
• fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
• fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
• fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
• fix: Unusual Parent Process For Cm...

Release r2023-12-04

New Rules

• new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
• new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
• new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
• new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
• new: Chromium Browser Instance Executed With Custom Extension
• new: Credential Dumping Activity By Python Based Tool
• new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
• new: HackTool - Generic Process Access
• new: HackTool - WinPwn Execution
• new: HackTool - WinPwn Execution - ScriptBlock
• new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
• new: Load Of RstrtMgr DLL From Suspicious Process
• new: Load Of RstrtMgr.DLL By An Uncommon Process
• new: New Netsh Helper DLL Registered From A Suspicious Location
• new: Potential CVE-2023-46214 Exploitation Attempt
• new: Potential Linux Process Code Injection Via DD Utility
• new: Potential Persistence Via Netsh Helper DLL - Registry
• new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
• new: Suspicious Path In Keyboard Layout IME File Registry Value
• new: Uncommon Extension In Keyboard Layout IME File Registry Value
• new: Wusa.EXE Executed By Parent Process Located In Suspicious Location

Updated Rules

• update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
• update: Credential Dumping Attempt Via WerFault - Update title
• update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
• update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
• update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
• update: HackTool - CobaltStrike BOF Injection Pattern - Update title
• update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
• update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
• update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
• update: HackTool - winPEAS Execution - Add additional image names for winPEAS
• update: LSASS Access From Potentially White-Listed Processes - Update title and description
• update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
• update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
• update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
• update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
• update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
• update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
• update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
• update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
• update: Potential Process Hollowing Activity - Update FP filter
• update: Potential Shellcode Injection - Update title and enhance false positive filter
• update: Potentially Suspicious GrantedAccess Flags On LSASS -
• update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
• update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
• update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
• update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
• update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
• update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
• update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone

Removed / Deprecated Rules

• remove: Credential Dumping Tools Accessing LSASS Memory

Fixed Rules

• fix: File or Folder Permissions Modifications - FPs with partial paths
• fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
• fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
• fix: Potential NT API Stub Patching - Tune FP filter
• fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter

Acknowledgement

Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.