Release r2025-11-01

New Rules

• new: AWS Bucket Deleted
• new: AWS Console Login Monitoring
• new: AWS ConsoleLogin Failed Authentication
• new: AWS EnableRegion Command Monitoring
• new: AWS IAM user with Console Access Login Without MFA (#5074)
• new: AWS KMS Imported Key Material Usage
• new: AWS STS GetCallerIdentity Enumeration Via TruffleHog
• new: AWS VPC Flow Logs Deleted
• new: Audit Rules Deleted Via Auditctl
• new: BaaUpdate.exe Suspicious DLL Load
• new: FTP Connection Open Attempt Via Winscp CLI
• new: File Access Of Signal Desktop Sensitive Data
• new: GitHub Repository Archive Status Changed
• new: GitHub Repository Pages Site Changed to Public
• new: Hacktool - EDR-Freeze Execution
• new: IIS WebServer Log Deletion via CommandLine Utilities
• new: ISATAP Router Address Was Set
• new: Installation of WSL KaliLinux
• new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
• new: Linux Sudo Chroot Execution
• new: Mask System Power Settings Via Systemctl
• new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
• new: PUA - Restic Backup Tool Execution
• new: Potential Executable Run Itself As Sacrificial Process
• new: Potential Exploitation of GoAnywhere MFT vulnerability
• new: Potential Lateral Movement via Windows Remote Shell
• new: Python WebServer Execution - Linux
• new: RunMRU Registry Key Deletion
• new: RunMRU Registry Key Deletion - Registry
• new: Suspicious BitLocker Access Agent Update Utility Execution (#5502)
• new: Syslog Clearing or Removal Via System Utilities
• new: Unsigned or Unencrypted SMB Connection to Share Established
• new: WFP Filter Added via Registry
• new: WSL Kali Linux Usage
• new: WinRAR Creating Files in Startup Locations
• new: Winrs Local Command Execution
• new: Winscp Execution From Non Standard Folder

Updated Rules

• update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
• update: AWS Successful Console Login Without MFA - only alert on successful logins
• update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
• update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
• update: Local Accounts Discovery - add OriginalFileName field
• update: Modify System Firewall - add nftables delete/flush
• update: PFX File Creation - Enhance filters, metadata and logic
• update: Potential LSASS Process Dump Via Procdump - expand flags and service-names detection
• update: Potentially Suspicious JWT Token Search Via CLI - add selection for common search tools
• update: PowerShell Download Pattern - add powershell_ise
• update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
• update: Suspicious C2 Activities - update definition (#5142)
• update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy
• update: Suspicious Startup Folder Persistence: add more suspicious extensions
• update: Use Short Name Path in Image - change detection logic structure
• update: WinRAR Execution in Non-Standard Folder - update PE metadata

Removed / Deprecated Rules

• remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
• remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628
• remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
• remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073

Fixed Rules

• fix: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - filter hexnode
• fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
• fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
• fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
• fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
• fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
• fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171)
• fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage
• fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
• fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
• fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
• fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
• fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats
• fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters
• fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential PowerShell Obfuscation Using Alias Cmdlets - filter legitimate cim aliases
• fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
• fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
• fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
• fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529)
• fix: Registry Persistence via Service in Safe Mode - filter hexnode
• fix: SMB Create Remote File Admin Share - filter out local IP
• fix: Startup Folder File Write - Add a filter for OneNote
• fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
• fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
• fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Suspicious Non PowerShell WSMAN COM Provider - filter hexnode
• fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
• fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
• fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
• fix: Sysmon Channel Reference Deletion - AccessMask should be a string
• fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
• fix: System File Execution Location Anomaly - add filter for wsl fps
• fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
• fix: Uncommon PowerShell Hosts - filter hexnode
• fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
• fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
• fix: WannaCry Ransomware Activity - remove generic indicators (#5131)

Acknowledgement

Thanks to @adanalvarez, @BalsamicSentry, @BIitzkrieg, @CheraghiMilad, @david-syk, @djlukic, @EzLucky, @frack113, @kagebunsher, @KingKDot, @Koifman, @Liran017, @mlakri, @mm-abdelghani, @nasbench, @netgrain, @NinnessOtu, @peterydzynski, @phantinuss, @rkmbaxed, @RobertN87, @saakovv, @swachchhanda000, @thuya-hacktilizer, @toopricey, @vasquja, @vl43den, @YamatoSecurity, @zambomarcell for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-10-01

New Rules

• new: ADExplorer Writing Complete AD Snapshot Into .dat File
• new: CrushFTP RCE vulnerability CVE-2025-54309
• new: Delete Defender Scan ShellEx Context Menu Registry Key
• new: Disabling Windows Defender WMI Autologger Session via Reg.exe
• new: FunkLocker Ransomware File Creation
• new: Low Reputation Effective Top-Level Domain (eTLD)
• new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
• new: MMC Loading Script Engines DLLs
• new: MacOS FileGrabber Infostealer
• new: NodeJS Execution of JavaScript File
• new: Password Never Expires Set via WMI
• new: Potential ClickFix Execution Pattern - Registry
• new: Potential Hello-World Scraper Botnet Activity
• new: Potential JLI.dll Side-Loading
• new: Potential PowerShell Console History File Access Attempt
• new: Potential SAP NetWeaver Webshell Creation
• new: Potential SAP NetWeaver Webshell Creation - Linux
• new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
• new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
• new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
• new: Potentially Suspicious Child Processes Spawned by ConHost
• new: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
• new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
• new: Registry Manipulation via WMI Stdregprov
• new: Remote Access Tool - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
• new: Scheduled Task Creation Masquerading as System Processes
• new: Schtasks Curl Download and Powershell Execution Combination
• new: Security Event Logging Disabled Via MiniNt Registry Key - Process
• new: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set
• new: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
• new: Suspicious Child Process of SAP NetWeaver
• new: Suspicious Child Process of SAP NetWeaver - Linux
• new: Suspicious Creation of .library-ms File - Potential CVE-2025-24054 Exploit
• new: Suspicious File Created in Outlook Temporary Directory
• new: Suspicious File Write to SharePoint Layouts Directory
• new: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
• new: Suspicious Uninstall of Windows Defender Feature via PowerShell
• new: Suspicious Velociraptor Child Process
• new: WDAC Policy File Creation In CodeIntegrity Folder
• new: Windows Defender Context Menu Removed via Reg.exe
• new: Windows Defender Default Threat Action Modified
• new: Windows Recovery Environment Disabled Via Reagentc

Updated Rules

• update: Active Directory Database Snapshot Via ADExplorer - add more selections
• update: Certificate Use With No Strong Mapping - Update Provider Name
• update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
• update: DNS Query Tor .Onion Address - Sysmon - update detection logic
• update: DNS TOR Proxies - update detection logic
• update: KDC RC4-HMAC Downgrade CVE-2022-37966 - Update Provider Name
• update: Network Connection Initiated To BTunnels Domains - MITRE tags
• update: Network Connection Initiated To Cloudflared Tunnels Domains - MITRE tags
• update: Network Connection Initiated To DevTunnels Domain - MITRE tags
• update: Network Connection Initiated To Mega.nz - MITRE tag
• update: Network Connection Initiated To Visual Studio Code Tunnels Domain - MITRE tags
• update: No Suitable Encryption Key Found For Generating Kerberos Ticket - Update Provider Name
• update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
• update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
• update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
• update: Potential Defense Evasion Via Binary Rename - add 7za
• update: Potential Defense Evasion Via Right-to-Left Override - add [U+202E]
• update: Potential File Extension Spoofing Using Right-to-Left Override - add [U+202E] and more extensions
• update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
• update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
• update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
• update: Python Image Load By Non-Python Process - update the metadata
• update: Query Tor Onion Address - DNS Client - update detection logic
• update: Regsvr32 DLL Execution With Suspicious File Extension - add coverage for regsvr executing '.log' extension
• update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
• update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash
• update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections
• update: Suspicious Double Extension Files - add .svg extension
• update: Suspicious Dropbox API Usage - MITRE tags
• update: Suspicious Get Local Groups Information - PowerShell - increase coverage for WMI modules
• update: Suspicious Invoke-WebRequest Execution - add powershell_ise
• update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
• update: Suspicious Non-Browser Network Communication With Telegram API - MITRE tag
• update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet
• update: Suspicious Windows Service Tampering - add coverage for Windows service tampering through wmic and PowerShell WMI module
• update: System File Execution Location Anomaly - add taskhostw
• update: Unsigned DLL Loaded by Windows Utility - also filter SignatureStatus 'valid'
• update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
• update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
• update: Visual Studio Code Tunnel Execution - remove optional flag '--name'

Removed / Deprecated Rules

• remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
• remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d

Fixed Rules

• fix: Added Credentials to Existing Application - fix filter dash type, capitalization and spaces to match Azure log format
• fix: COM Hijacking via TreatAs - Add filter for integrator.exe
• fix: HackTool - LaZagne Execution - remove imphashes common to pyinstaller bundled executables
• fix: New Service Creation Using Sc.EXE - add filter for dropbox
• fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
• fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
• fix: Potential PsExec Remote Execution - add filter for localhost
• fix: Potential Python DLL SideLoading - add FP filter caused by pyinstaller bundled applications
• fix: Process Initiated Network Connection To Ngrok Domain - fix title and update MITRE tags
• fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
• fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
• fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
• fix: UNC4841 - Barracuda ESG Exploitation Indicators - FPs with mknod on Linux systems
• fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
• fix: Windows Event Log Access Tampering Via Registry
• fix: potentially suspicious execution from tmp folder
• fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder

Acknowledgement

Thanks to @0xbcf, @0xPrashanthSec, @egycondor, @EzLucky, @frack113, @gkazimiarovich, @JasonPhang98, @josamontiel, @Koifman, @Liran017, @M1ra1B0T, @MATTANDERS0N, @nasbench, @Neo23x0, @netgrain, @nisargsuthar, @norbert791, @peterydzynski, @phantinuss, @resp404nse, @ruppde, @swachchhanda000, @Ti-R, @vl43den, @YxinMiracle for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-07-08

New Rules

• new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
• new: BITS Client BitsProxy DLL Loaded By Uncommon Process
• new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
• new: DNS Query To Common Malware Hosting and Shortener Services
• new: DNS Query To Katz Stealer Domains
• new: DNS Query To Katz Stealer Domains - Network
• new: Disable ASLR Via Personality Syscall - Linux
• new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
• new: FileFix - Suspicious Child Process from Browser File Upload Abuse
• new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
• new: HackTool - Doppelanger LSASS Dumper Execution
• new: HackTool - HollowReaper Execution
• new: HackTool - Impacket File Indicators
• new: Katz Stealer DLL Loaded
• new: Katz Stealer Suspicious User-Agent
• new: MSSQL Destructive Query
• new: Obfuscated PowerShell MSI Install via WindowsInstaller COM
• new: Potential AS-REP Roasting via Kerberos TGT Requests
• new: Potential Abuse of Linux Magic System Request Key
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
• new: Potential Java WebShell Upload in SAP NetViewer Server
• new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
• new: Potential Notepad++ CVE-2025-49144 Exploitation
• new: Potential SAP NetViewer Webshell Command Execution
• new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
• new: Proxy Execution via Vshadow - detect invocation of vshadow.exe with -exec to spot hidden malware execution
• new: RegAsm.EXE Execution Without CommandLine Flags or Files
• new: Registry Export of Third-Party Credentials
• new: Remote Access Tool - Potential MeshAgent Usage - MacOS
• new: Remote Access Tool - Potential MeshAgent Usage - Windows
• new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
• new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
• new: Special File Creation via Mknod Syscall
• new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
• new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
• new: Suspicious Deno File Written from Remote Source
• new: Suspicious Download and Execute Pattern via Curl/Wget
• new: Suspicious File Access to Browser Credential Storage
• new: System Info Discovery via Sysinfo Syscall
• new: System Information Discovery via Registry Queries
• new: Trusted Path Bypass via Windows Directory Spoofing

Updated Rules

• update: Access of Sudoers File Content - add more tools
• update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
• update: Audio Capture - use syscall name instead of id
• update: Cisco Modify Configuration - add "ntp server" keyword
• update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
• update: Commands to Clear or Remove the Syslog - detect journald vacuuming
• update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
• update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added
• update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
• update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to high
• update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
• update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash
• update: Local Groups Discovery - Linux - add text output tools
• update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added
• update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
• update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
• update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
• update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
• update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
• update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
• update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
• update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
• update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
• update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add CHAR variation
• update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path
• update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName
• update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
• update: Suspicious Double Extension File Execution: add more suspicious extension combination
• update: Suspicious Double Extension Files: add more suspicious extension combination
• update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
• update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter
• update: System Owner or User Discovery - Linux - add uname
• update: TrustedPath UAC Bypass Pattern - update Image value
• update: Webshell Remote Command Execution - add execveat and match on euid instead of key

Fixed Rules

• fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
• fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
• fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
• fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
• fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
• fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
• fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
• fix: Hidden Files and Directories - reduce FP matching with regex pattern
• fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
• fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
• fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name
• fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
• fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
• fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
• fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32"
• fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
• fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
• fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
• fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
• fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
• fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
• fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
• fix: Suspicious Userinit Child Process - filter null Image
• fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
• fix: Uncommon AppX Package Locations - add a new filter to reduce noise
• fix: Use Short Name Path in Command Line - add filter for aurora
• fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path

Acknowledgement

Thanks to @0xFustang, @ajpc500, @ariel-anieli, @CheraghiMilad, @dan21san, @david-syk, @egycondor, @EzLucky, @frack113, @gregorywychowaniec-zt, @GrepItAll, @hashdr1ft, @joshnck, @JrOrOneEquals1, @kivi280, @MalGamy12, @nasbench, @nikstuckenbrock, @norbert791, @phantinuss, @swachchhanda000, @unicornofhunt, @vx3r, @wieso-itzi, @X-Junior, @xlazarg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-05-21

New Rules

• new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
• new: Crash Dump Created By Operating System
• new: HTTP Request to Low Reputation TLD or Suspicious File Extension
• new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
• new: Notepad Password Files Discovery
• new: PUA - AdFind.EXE Execution
• new: PUA - NimScan Execution
• new: Potential CVE-2024-35250 Exploitation Activity
• new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
• new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
• new: Potentially Suspicious WDAC Policy File Creation
• new: Suspicious Autorun Registry Modified via WMI
• new: Suspicious CrushFTP Child Process
• new: Suspicious LNK Command-Line Padding with Whitespace Characters
• new: Suspicious Process Spawned by CentreStack Portal AppPool

Updated Rules

• update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
• update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
• update: AWS New Lambda Layer Attached - Enhance metadata and logic
• update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the AnyDesk MSI Service
• update: Audio Capture - add ecasound detection
• update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
• update: Direct Autorun Keys Modification
• update: Elevated System Shell Spawned - Add powershell_ise
• update: Elevated System Shell Spawned From Uncommon Parent Location - Add powershell_ise
• update: Malicious PowerShell Commandlets - PoshModule - Add Veeam-Get-Creds
• update: Malicious PowerShell Commandlets - ProcessCreation - Add Veeam-Get-Creds
• update: Malicious PowerShell Scripts - FileCreation - Add Veeam-Get-Creds.ps1
• update: Malicious PowerShell Scripts - PoshModule - Add Veeam-Get-Creds.ps1
• update: New RUN Key Pointing to Suspicious Folder
• update: Nslookup PowerShell Download Cradle - Add additional coverage with -type=txt http
• update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.
• update: Potential APT FIN7 Exploitation Activity - Add false positive description
• update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
• update: Potential Browser Data Stealing - add esentutl.exe
• update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
• update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
• update: Potential Product Class Reconnaissance Via Wmic.EXE - Add AntiSpywareProduct class
• update: Potentially Suspicious WDAC Policy File Creation
• update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
• update: Remote Access Tool - AnyDesk Execution - Add AnyDeskMSI.exe
• update: Remote Access Tool - AnyDesk Incoming Connection - Add AnyDeskMSI.exe
• update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add AnyDeskMSI.exe
• update: Renamed AdFind Execution - Add additional Imphash values
• update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status
• update: Suspicious Binary Writes Via AnyDesk - Add AnyDeskMSI.exe
• update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
• update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class
• update: Suspicious PowerShell Invocations - Specific
• update: Suspicious PowerShell Invocations - Specific - PowerShell Module
• update: Suspicious Powershell In Registry Run Keys
• update: Suspicious Run Key from Download
• update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers
• update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17

Fixed Rules

• fix: Conhost Spawned By Uncommon Parent Process - Add filter for '-k wusvcs -p -s WaaSMedicSvc
• fix: Indirect Command Exectuion via Forfiles - wrong keyword
• fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for C:\Windows\SystemTemp\
• fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
• fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string
• fix: Potential WinAPI Calls Via CommandLine - Add new filter for CompatTelRunner
• fix: PowerShell Execution - wrong date format
• fix: Python Initiated Connection - Add filter for pip install
• fix: Python Initiated Connection - Enhance python filter
• fix: Python Inline Command Execution - Add filter for whl package installations
• fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
• fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
• fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent

Acknowledgement

Thanks to @CheraghiMilad, @clr2of8, @david-syk, @DFIR-Detection, @dsplice, @Eyezuhk, @frack113, @Gude5, @HannesWid, @imall4n, @jasonmull, @Koifman, @MalGamy12, @nasbench, @Neo23x0, @nickatrecon, @phantinuss, @RG9n, @signalblur, @swachchhanda000, @whichbuffer, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-02-03

New Rules

• new: Azure Login Bypassing Conditional Access Policies
• new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
• new: Suspicious Binaries and Scripts in Public Folder
• new: Suspicious Invocation of Shell via Rsync
• new: Windows Event Log Access Tampering Via Registry

Updated Rules

• update: Exploit Framework User Agent - Add default Havoc C2 UA
• update: Renamed Powershell Under Powershell Channel - Update regex to use \s+ to account for different parsers
• update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
• update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use \s+ to account for different parsers
• update: Suspicious Windows Service Tampering - Add additional services

Removed / Deprecated Rules

• remove: Windows Defender Exclusion Deleted

Fixed Rules

• fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add dn.onenote.net/ and cdn.office.net/
• fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for Kaspersky and mDNS Responder
• fix: Failed Code Integrity Checks - Add filters for CrowdStrike.
• fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
• fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
• fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
• fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for \Windows\SoftwareDistribution\Download\
• fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter C:\ProgramData\Package Cache\{ to account for cases like the execution of vcredist
• fix: Privileged User Has Been Created - Add missing comma to avoid false positives
• fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the HTool string to avoid unintended matches.
• fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.
• fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
• fix: Uncommon AppX Package Locations - Add https://installer.teams.static.microsoft/
• fix: WCE wceaux.dll Access - Remove EventIDs 4658 and 4660 as they both do not contain the ObjectName field

Acknowledgement

Thanks to @DanielKoifman, @defensivedepth, @djlukic, @frack113, @GtUGtHGtNDtEUaE, @joshnck, @krdmnbrk, @nasbench, @Neo23x0, @samuelmonsempessenthorus, @Ti-R, @tsale, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-12-19

New Rules

• new: AWS Key Pair Import Activity
• new: AWS SAML Provider Deletion Activity
• new: CVE-2024-50623 Exploitation Attempt - Cleo
• new: DNS Query Request By QuickAssist.EXE
• new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
• new: Modification or Deletion of an AWS RDS Cluster
• new: New AWS Lambda Function URL Configuration Created
• new: Potential File Extension Spoofing Using Right-to-Left Override
• new: Potentially Suspicious Azure Front Door Connection
• new: QuickAssist Execution
• new: Setup16.EXE Execution With Custom .Lst File
• new: Suspicious ShellExec_RunDLL Call Via Ordinal

Updated Rules

• update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
• update: DNS Query To Remote Access Software Domain From Non-Browser App - Add getscreen.me
• update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
• update: GALLIUM IOCs - remove custom dedicated hash fields
• update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
• update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
• update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
• update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
• update: HackTool - Impersonate Execution - remove custom dedicated hash fields
• update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
• update: HackTool - PCHunter Execution - remove custom dedicated hash fields
• update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
• update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
• update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
• update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
• update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
• update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
• update: HackTool Named File Stream Created - remove custom dedicated hash fields
• update: Hacktool Execution - Imphash - remove custom dedicated hash fields
• update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
• update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage
• update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
• update: MpiExec Lolbin - remove custom dedicated hash fields
• update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
• update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
• update: PUA - Nimgrab Execution - remove custom dedicated hash fields
• update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
• update: PUA - Process Hacker Execution - remove custom dedicated hash fields
• update: PUA - System Informer Driver Load - remove custom dedicated hash fields
• update: PUA - System Informer Execution - remove custom dedicated hash fields
• update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
• update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth"
• update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
• update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
• update: Potential Secure Deletion with SDelete - Enhance metadata
• update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
• update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
• update: Process Discovery - Add additional processes like "htop" and "atop"
• update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
• update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
• update: Renamed AdFind Execution - remove custom dedicated hash fields
• update: Renamed AutoIt Execution - remove custom dedicated hash fields
• update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
• update: Renamed PAExec Execution - remove custom dedicated hash fields
• update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last"
• update: Terminate Linux Process Via Kill - Add "xkill"
• update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
• update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
• update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
• update: WinDivert Driver Load - remove custom dedicated hash fields

Fixed Rules

• fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder C:\Windows\SoftwareDistribution\
• fix: FPs with NetNTLM downgrade attack (#5108)
• fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
• fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
• fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
• fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.

Acknowledgement

Thanks to @AlbinoGazelle, @CheraghiMilad, @cod3nym, @dan21san, @djlukic, @faisalusuf, @frack113, @gregorywychowaniec-zt, @IsaacDunham, @jstnk9, @Koifman, @MalGamy12, @mgreen27, @nasbench, @Neo23x0, @randomaccess3, @saakovv, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-11-10

New Rules

• new: .RDP File Created by Outlook Process
• new: Access To Browser Credential Files By Uncommon Applications - Security
• new: Command Executed Via Run Dialog Box - Registry
• new: DNS Request From Windows Script Host
• new: ETW Logging/Processing Option Disabled On IIS Server
• new: Group Policy Abuse for Privilege Addition
• new: HTTP Logging Disabled On IIS Server
• new: Network Connection Initiated To BTunnels Domains
• new: New Module Module Added To IIS Server
• new: Potential Python DLL SideLoading
• new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
• new: PowerShell Web Access Feature Enabled Via DISM
• new: PowerShell Web Access Installation - PsScript
• new: Previously Installed IIS Module Was Removed
• new: Process Deletion of Its Own Executable
• new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
• new: Startup/Logon Script Added to Group Policy Object

Updated Rules

• update: .RDP File Created By Uncommon Application - Add olk.exe to cover the new version of outlook
• update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11
• update: Alternate PowerShell Hosts Pipe - Add optional filter for AzureConnectedMachineAgent and update old filters to be more accurate
• update: Antivirus Hacktool Detection - Add additional hacktools signature names.
• update: Antivirus Password Dumper Detection - Add DCSync string to cover MS Defender traffic detections
• update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
• update: Antivirus Ransomware Detection - Add additional ransomware signature names.
• update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
• update: DNS Query To Remote Access Software Domain From Non-Browser App - Add remoteassistance.support.services.microsoft.com, tailscale.com, twingate.com
• update: Disable Windows Defender Functionalities Via Registry Keys - Remove \Real-Time Protection\ prefix to increase coverage.
• update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
• update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
• update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
• update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
• update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
• update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136
• update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for 0x00A0
• update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for 0x00A0
• update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives.
• update: Potentially Suspicious JWT Token Search Via CLI - added the eyJhbGciOi string, corresponding to {"alg": from the JWT token header.
• update: Process Terminated Via Taskkill - Add /pid flag and windash support
• update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage.
• update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
• update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the HostApplication field is null
• update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the HostApplication field is null
• update: BITS Transfer Job Download From File Sharing Domains - Add pixeldrain.com
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add pixeldrain.com
• update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add pixeldrain.com
• update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE* - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Websites - File Stream - Add pixeldrain.com
• update: Suspicious Windows Service Tampering - Add "WSearch"
• update: Unusual File Download From File Sharing Websites - File Stream - Add pixeldrain.com

Fixed Rules

• fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
• fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent".
• fix: PwnKit Local Privilege Escalation - Fix typo with the word suspicious
• fix: UNC2452 Process Creation Patterns - Add the missing all modifier

Acknowledgement

Thanks to @ahmedfarou22, @bharat-arora-magnet, @BlackB0lt, @CheraghiMilad, @dan21san, @defensivedepth, @deFr0ggy, @djlukic, @frack113, @fukusuket, @ionsor, @jaegeral, @joshnck, @Koifman, @Mahir-Ali-khan, @MalGamy12, @MHaggis, @Milad Cheraghi, @nasbench, @Neo23x0, @ruppde, @secDre4mer, @swachchhanda000, @tsale, @wieso-itzi, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-09-02

New Rules

• new: Access To Chromium Browsers Sensitive Files By Uncommon Applications
• new: Access To Crypto Currency Wallets By Uncommon Applications
• new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
• new: Capsh Shell Invocation - Linux
• new: ChromeLoader Malware Execution
• new: Clipboard Data Collection Via Pbpaste
• new: Data Export From MSSQL Table Via BCP.EXE
• new: Disk Image Creation Via Hdiutil - MacOS
• new: Disk Image Mounting Via Hdiutil - MacOS
• new: DNS Query To Put.io - DNS Client
• new: Driver Added To Disallowed Images In HVCI - Registry
• new: Emotet Loader Execution Via .LNK File
• new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
• new: FakeUpdates/SocGholish Activity
• new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
• new: Github Fork Private Repositories Setting Enabled/Cleared
• new: Github Repository/Organization Transferred
• new: Github SSH Certificate Configuration Changed
• new: HackTool - SharpWSUS/WSUSpendu Execution
• new: HackTool - SOAPHound Execution
• new: Headless Process Launched Via Conhost.EXE
• new: Hidden Flag Set On File/Directory Via Chflags - MacOS
• new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
• new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
• new: Inline Python Execution - Spawn Shell Via OS System Library
• new: Kerberoasting Activity - Initial Query
• new: Manual Execution of Script Inside of a Compressed File
• new: Microsoft Teams Sensitive File Access By Uncommon Application
• new: Multi Factor Authentication Disabled For User Account
• new: Obfuscated PowerShell OneLiner Execution
• new: OneNote.EXE Execution of Malicious Embedded Scripts
• new: Potential APT FIN7 Exploitation Activity
• new: Potential BOINC Software Execution (UC-Berkeley Signature)
• new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for e0552b19-5a83-4222-b141-b36184bb8d79
• new: Potential CSharp Streamer RAT Loading .NET Executable Image
• new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
• new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
• new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
• new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
• new: Potential File Override/Append Via SET Command
• new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
• new: Potential Raspberry Robin Aclui Dll SideLoading
• new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
• new: Potentially Suspicious Rundll32.EXE Execution of UDL File
• new: Powershell Executed From Headless ConHost Process
• new: Process Launched Without Image Name
• new: Python Function Execution Security Warning Disabled In Excel
• new: Python Function Execution Security Warning Disabled In Excel - Registry
• new: Raspberry Robin Initial Execution From External Drive
• new: Raspberry Robin Subsequent Execution of Commands
• new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
• new: Remote Access Tool - Ammy Admin Agent Execution
• new: Remote Access Tool - AnyDesk Incoming Connection
• new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
• new: Renamed BOINC Client Execution
• new: Serpent Backdoor Payload Execution Via Scheduled Task
• new: Shell Execution GCC - Linux
• new: Shell Execution via Find - Linux
• new: Shell Execution via Flock - Linux
• new: Shell Execution via Git - Linux
• new: Shell Execution via Nice - Linux
• new: Shell Execution via Rsync - Linux
• new: Shell Invocation via Env Command - Linux
• new: Shell Invocation Via Ssh - Linux
• new: Suspicious Invocation of Shell via AWK - Linux
• new: Suspicious Process Masquerading As SvcHost.EXE
• new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
• new: Unattend.XML File Access Attempt
• new: Uncommon Connection to Active Directory Web Services
• new: Ursnif Redirection Of Discovery Commands
• new: User Risk and MFA Registration Policy Updated

Updated Rules

• update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Access To Windows Credential History File By Uncommon Applications - Update filters
• update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters
• update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Antivirus Exploitation Framework Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Hacktool Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Password Dumper Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Ransomware Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Relevant File Paths Alerts - Add additional keywords and strings to enhance coverage
• update: Antivirus Web Shell Detection - Add additional keywords and strings to enhance coverage
• update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Cab File Extraction Via Wusa.EXE - Move to TH folder
• update: COM Object Execution via Xwizard.EXE - Update logic
• update: Credential Manager Access By Uncommon Applications - Update filters
• update: Disable Important Scheduled Task - Add \Windows\ExploitGuard\ExploitGuard MDM policy Refresh
• update: Github High Risk Configuration Disabled - Add business_advanced_security.disabled, business_advanced_security.disabled_for_new_repos, business_advanced_security.disabled_for_new_user_namespace_repos, business_advanced_security.user_namespace_repos_disabled, org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos
• update: Github Secret Scanning Feature Disabled - Add secret_scanning_new_repos.disable
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
• update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
• update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
• update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
• update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
• update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys.
• update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value.
• update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
• update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
• update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Powershell Token Obfuscation - Powershell - Optimized used regex
• update: Powershell Token Obfuscation - Process Creation - Optimized used regex
• update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
• update: Relevant Anti-Virus Signature Keywords In Application Log - Add additional keywords and strings to enhance coverage
• update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious Remote AppX Package Locations - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update...

Release r2024-07-17

New Rules

• new: BitlockerTogo.EXE Execution
• new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
• new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
• new: Communication To LocaltoNet Tunneling Service Initiated
• new: Communication To LocaltoNet Tunneling Service Initiated - Linux
• new: DNS Query To AzureWebsites.NET By Non-Browser Process
• new: DPAPI Backup Keys And Certificate Export Activity IOC
• new: DSInternals Suspicious PowerShell Cmdlets
• new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
• new: DarkGate - Drop DarkGate Loader In C:\Temp Directory
• new: Directory Service Restore Mode(DSRM) Registry Value Tampering
• new: File Download Via Nscurl - MacOS
• new: Files With System DLL Name In Unsuspected Locations
• new: HackTool - Evil-WinRm Execution - PowerShell Module
• new: HackTool - LaZagne Execution
• new: HackTool - RemoteKrbRelay Execution
• new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
• new: HackTool - SharpDPAPI Execution
• new: Hypervisor Enforced Paging Translation Disabled
• new: Ingress/Egress Security Group Modification
• new: Kapeka Backdoor Autorun Persistence
• new: Kapeka Backdoor Configuration Persistence
• new: Kapeka Backdoor Execution Via RunDLL32.EXE
• new: Kapeka Backdoor Loaded Via Rundll32.EXE
• new: Kapeka Backdoor Persistence Activity
• new: Kapeka Backdoor Scheduled Task Creation
• new: Kubernetes Admission Controller Modification
• new: Kubernetes CronJob/Job Modification
• new: Kubernetes Rolebinding Modification
• new: Kubernetes Secrets Modified or Deleted
• new: Kubernetes Unauthorized or Unauthenticated Access
• new: LoadBalancer Security Group Modification
• new: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
• new: Microsoft Word Add-In Loaded
• new: Network Communication Initiated To Portmap.IO Domain
• new: Network Connection Initiated From Users\Public Folder
• new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
• new: Network Connection Initiated To Cloudflared Tunnels Domains
• new: New File Exclusion Added To Time Machine Via Tmutil - MacOS
• new: New Network ACL Entry Added
• new: New Network Route Added
• new: PDF File Created By RegEdit.EXE
• new: Periodic Backup For System Registry Hives Enabled
• new: Potential DLL Sideloading Of DbgModel.DLL
• new: Potential DLL Sideloading Of MpSvc.DLL
• new: Potential DLL Sideloading Of MsCorSvc.DLL
• new: Potential Kapeka Decrypted Backdoor Indicator
• new: Potential Malicious Usage of CloudTrail System Manager
• new: Potential Suspicious Browser Launch From Document Reader Process
• new: Potentially Suspicious Usage Of Qemu
• new: RDS Database Security Group Modification
• new: Renamed Microsoft Teams Execution
• new: System Information Discovery Via Sysctl - MacOS
• new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
• new: Time Machine Backup Disabled Via Tmutil - MacOS
• new: Uncommon File Creation By Mysql Daemon Process
• new: Uncommon Process Access Rights For Target Image
• new: Windows LAPS Credential Dump From Entra ID
• new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
• new: Windows Recall Feature Enabled - Registry
• new: Windows Recall Feature Enabled Via Reg.EXE

Updated Rules

• update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: CA Policy Updated by Non Approved Actor - detect using a map of fields instead of a list
• update: Cloudflared Tunnels Related DNS Requests - Update description and related field
• update: Copying Sensitive Files with Credential Data - Use "windash" modifier
• update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
• update: Explorer Process Tree Break - Use "windash" modifier
• update: Files With System Process Name In Unsuspected Locations - Remove old filter
• update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
• update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
• update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional file paths
• update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
• update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional file paths
• update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
• update: Network Connection Initiated To Mega.nz - Reduce level to "low"
• update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
• update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
• update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
• update: Okta New Admin Console Behaviours - update to reflect Okta log data structure
• update: Outbound Network Connection Initiated By Cmstp.EXE - Exclude local IPs and ranges
• update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
• update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
• update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
• update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
• update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
• update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
• update: Potential System DLL Sideloading From Non System Locations - Add new entries to increase coverage
• update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
• update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
• update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
• update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
• update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
• update: Rare Remote Thread Creation By Uncommon Source Image - Add dialer.exe
• update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
• update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: Remote Thread Creation By Uncommon Source Image - Update filters
• update: Remote Thread Creation In Uncommon Target Image - Update filters
• update: Renamed ProcDump Execution - Add new flag option
• update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
• update: Suspicious Electron Application Child Processes - Remove unnecessary filters
• update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
• update: System File Execution Location Anomaly - Enhance filters
• update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
• update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
• update: Windows Defender Threat De...

Release r2024-05-13

New Rules

• new: Access To Windows Outlook Mail Files By Uncommon Application
• new: All Backups Deleted Via Wbadmin.EXE
• new: File Recovery From Backup Via Wbadmin.EXE
• new: Launch Agent/Daemon Execution Via Launchctl
• new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
• new: New RDP Connection Initiated From Domain Controller
• new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
• new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
• new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
• new: Potentially Suspicious Child Process Of KeyScrambler.exe
• new: Potentially Suspicious Malware Callback Communication - Linux
• new: Sensitive File Dump Via Wbadmin.EXE
• new: Sensitive File Recovery From Backup Via Wbadmin.EXE
• new: Suspicious External WebDAV Execution
• new: UAC Notification Disabled
• new: UAC Secure Desktop Prompt Disabled

Updated Rules

• update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
• update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
• update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
• update: UAC Disabled - update metadata
• update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
• update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
• update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

Removed / Deprecated Rules

• remove: Search-ms and WebDAV Suspicious Indicators in URL

Fixed Rules

• fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier

Acknowledgement

Thanks to @ahmedfarou22, @frack113, @hasselj, @joshnck, @nasbench, @pratinavchandra, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.