New Rules

• new: BitlockerTogo.EXE Execution
• new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
• new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
• new: Communication To LocaltoNet Tunneling Service Initiated
• new: Communication To LocaltoNet Tunneling Service Initiated - Linux
• new: DNS Query To AzureWebsites.NET By Non-Browser Process
• new: DPAPI Backup Keys And Certificate Export Activity IOC
• new: DSInternals Suspicious PowerShell Cmdlets
• new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
• new: DarkGate - Drop DarkGate Loader In C:\Temp Directory
• new: Directory Service Restore Mode(DSRM) Registry Value Tampering
• new: File Download Via Nscurl - MacOS
• new: Files With System DLL Name In Unsuspected Locations
• new: HackTool - Evil-WinRm Execution - PowerShell Module
• new: HackTool - LaZagne Execution
• new: HackTool - RemoteKrbRelay Execution
• new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
• new: HackTool - SharpDPAPI Execution
• new: Hypervisor Enforced Paging Translation Disabled
• new: Ingress/Egress Security Group Modification
• new: Kapeka Backdoor Autorun Persistence
• new: Kapeka Backdoor Configuration Persistence
• new: Kapeka Backdoor Execution Via RunDLL32.EXE
• new: Kapeka Backdoor Loaded Via Rundll32.EXE
• new: Kapeka Backdoor Persistence Activity
• new: Kapeka Backdoor Scheduled Task Creation
• new: Kubernetes Admission Controller Modification
• new: Kubernetes CronJob/Job Modification
• new: Kubernetes Rolebinding Modification
• new: Kubernetes Secrets Modified or Deleted
• new: Kubernetes Unauthorized or Unauthenticated Access
• new: LoadBalancer Security Group Modification
• new: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
• new: Microsoft Word Add-In Loaded
• new: Network Communication Initiated To Portmap.IO Domain
• new: Network Connection Initiated From Users\Public Folder
• new: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
• new: Network Connection Initiated To Cloudflared Tunnels Domains
• new: New File Exclusion Added To Time Machine Via Tmutil - MacOS
• new: New Network ACL Entry Added
• new: New Network Route Added
• new: PDF File Created By RegEdit.EXE
• new: Periodic Backup For System Registry Hives Enabled
• new: Potential DLL Sideloading Of DbgModel.DLL
• new: Potential DLL Sideloading Of MpSvc.DLL
• new: Potential DLL Sideloading Of MsCorSvc.DLL
• new: Potential Kapeka Decrypted Backdoor Indicator
• new: Potential Malicious Usage of CloudTrail System Manager
• new: Potential Suspicious Browser Launch From Document Reader Process
• new: Potentially Suspicious Usage Of Qemu
• new: RDS Database Security Group Modification
• new: Renamed Microsoft Teams Execution
• new: System Information Discovery Via Sysctl - MacOS
• new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
• new: Time Machine Backup Disabled Via Tmutil - MacOS
• new: Uncommon File Creation By Mysql Daemon Process
• new: Uncommon Process Access Rights For Target Image
• new: Windows LAPS Credential Dump From Entra ID
• new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
• new: Windows Recall Feature Enabled - Registry
• new: Windows Recall Feature Enabled Via Reg.EXE

Updated Rules

• update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: CA Policy Updated by Non Approved Actor - detect using a map of fields instead of a list
• update: Cloudflared Tunnels Related DNS Requests - Update description and related field
• update: Copying Sensitive Files with Credential Data - Use "windash" modifier
• update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
• update: Explorer Process Tree Break - Use "windash" modifier
• update: Files With System Process Name In Unsuspected Locations - Remove old filter
• update: LSASS Process Reconnaissance Via Findstr.EXE - Use "windash" modifier
• update: Lolbin Unregmp2.exe Use As Proxy - Use "windash" modifier
• update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
• update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional file paths
• update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
• update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional file paths
• update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
• update: Network Connection Initiated To Mega.nz - Reduce level to "low"
• update: New Remote Desktop Connection Initiated Via Mstsc.EXE - Use "windash" modifier
• update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
• update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
• update: Okta New Admin Console Behaviours - update to reflect Okta log data structure
• update: Outbound Network Connection Initiated By Cmstp.EXE - Exclude local IPs and ranges
• update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
• update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
• update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
• update: Potential Proxy Execution Via Explorer.EXE From Shell Process - Update metadata and moved to Threat Hunting folder
• update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
• update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
• update: Potential System DLL Sideloading From Non System Locations - Add new entries to increase coverage
• update: Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Enhance logic
• update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
• update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
• update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
• update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
• update: Rare Remote Thread Creation By Uncommon Source Image - Add dialer.exe
• update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
• update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
• update: Remote Thread Creation By Uncommon Source Image - Update filters
• update: Remote Thread Creation In Uncommon Target Image - Update filters
• update: Renamed ProcDump Execution - Add new flag option
• update: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Use "windash" modifier
• update: Suspicious Electron Application Child Processes - Remove unnecessary filters
• update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
• update: System File Execution Location Anomaly - Enhance filters
• update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
• update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
• update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language

Removed / Deprecated Rules

• remove: Potential NT API Stub Patching
• remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"

Fixed Rules

• fix: Application Removed Via Wmic.EXE - Add missing "all" modifier to fix the broken logic.
• fix: Csc.EXE Execution Form Potentially Suspicious Parent - Fix typo in regex
• fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
• fix: Dynamic .NET Compilation Via Csc.EXE - Fix typo in regex
• fix: Filter Driver Unloaded Via Fltmc.EXE - Add exclusion for ManageEngine
• fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
• fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
• fix: Potential Bucket Enumeration on AWS - Fix error in field name
• fix: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Remove selection_2 as it generates tons of false positives.
• fix: Suspicious Child Process Of Wermgr.EXE - Exclude "WerConCpl.dll"

Acknowledgement

Thanks to @BIitzkrieg, @celalettin-turgut, @CR-OfirTal, @CTI-Driven, @cY83rR0H1t, @cygnetix , @DefenderDaniel, @deFr0ggy, @DFIR-jwedd, @dr0pd34d, @faisalusuf, @fornotes, @frack113, @himynamesdave, @jamesc-grafana, @jeremyhagan, @joshnck, @kelnage, @nasbench, @Neo23x0, @netgrain, @nischalkhadgi62, @prashanthpulisetti, @pratinavchandra, @qasimqlf, @rahulchandran19, @ruppde, @ryanplasma, @skaynum, @Snp3r, @ssnkhan, @swachchhanda000, @tomaszdyduch, @vburov for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.