Release r2024-02-12

New Rules

• new: Exploitation Indicator Of CVE-2022-42475
• new: Interesting Service Enumeration Via Sc.EXE
• new: Loaded Module Enumeration Via Tasklist.EXE
• new: New Self Extracting Package Created Via IExpress.EXE
• new: Potentially Suspicious Self Extraction Directive File Created
• new: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
• new: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
• new: Self Extraction Directive File Created In Potentially Suspicious Location
• new: System Disk And Volume Reconnaissance Via Wmic.EXE

Updated Rules

• update: BITS Transfer Job Download From File Sharing Domains - Add additional domains
• update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports
• update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
• update: HH.EXE Initiated HTTP Network Connection - Update list of ports
• update: Hacktool Execution - Imphash - Add EventLogCrasher imphash
• update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters
• update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports
• update: Network Connection Initiated To Mega.nz - Update domains
• update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports
• update: Office Application Initiated Network Connection To Non-Local IP - update list of filters
• update: Potential Dead Drop Resolvers - Add abuse.ch
• update: Potential Dead Drop Resolvers - Update domains and filters
• update: RDP Sensitive Settings Changed - Add DisableRemoteDesktopAntiAlias and DisableSecuritySettings as seen used by DarkGate malware
• update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic
• update: Rundll32 Execution With Uncommon DLL Extension - Update the selection to allow for additional quoted cases such as rundll32 "shell32.dll",ShellExec_RunDLL
• update: Suspicious DNS Query for IP Lookup Service APIs - Add ipconfig.io domain
• update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains
• update: Suspicious File Download From File Sharing Websites - Add additional domains
• update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains
• update: Suspicious Network Connection to IP Lookup Service APIs - Add ipconfig.io domain
• update: Suspicious Remote AppX Package Locations - Add additional domains
• update: Unusual File Download From File Sharing Websites - Add additional domains

Removed / Deprecated Rules

• remove: Suspicious Non-Browser Network Communication With Reddit API

Fixed Rules

• fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter
• fix: HackTool - EDRSilencer Execution - Filter Added - Fix error in logsource
• fix: Outbound RDP Connections Over Non-Standard Tools - Add missing field name
• fix: Outbound RDP Connections Over Non-Standard Tools - Update filters
• fix: Potential Dropper Script Execution Via WScript/CScript - Fix error in rule status
• fix: Potential Fake Instance Of Hxtsr.EXE Executed - Use Image field in filter
• fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic
• fix: SC.EXE Query Execution - Add keybase filter
• fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers

Acknowledgement

Thanks to @douglasrose75, @frack113, @jstnk9, @nasbench, @Neo23x0, @omaramin17, @phantinuss, @prashanthpulisetti, @qasimqlf, @slincoln-aiq, @swachchhanda000, @xiangchen96, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.