Skip to content

Release r2023-12-04
Compare
Choose a tag to compare
@github-actions github-actions released this 04 Dec 16:59
· 186 commits to master since this release
r2023-12-04
f07e2b3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Rules

  • new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • new: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • new: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • new: Chromium Browser Instance Executed With Custom Extension
  • new: Credential Dumping Activity By Python Based Tool
  • new: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
  • new: HackTool - Generic Process Access
  • new: HackTool - WinPwn Execution
  • new: HackTool - WinPwn Execution - ScriptBlock
  • new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
  • new: Load Of RstrtMgr DLL From Suspicious Process
  • new: Load Of RstrtMgr.DLL By An Uncommon Process
  • new: New Netsh Helper DLL Registered From A Suspicious Location
  • new: Potential CVE-2023-46214 Exploitation Attempt
  • new: Potential Linux Process Code Injection Via DD Utility
  • new: Potential Persistence Via Netsh Helper DLL - Registry
  • new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
  • new: Suspicious Path In Keyboard Layout IME File Registry Value
  • new: Uncommon Extension In Keyboard Layout IME File Registry Value
  • new: Wusa.EXE Executed By Parent Process Located In Suspicious Location

Updated Rules

  • update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
  • update: Credential Dumping Attempt Via WerFault - Update title
  • update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse
  • update: Exchange Exploitation Used by HAFNIUM - Add related ATT&CK group tag
  • update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
  • update: HackTool - CobaltStrike BOF Injection Pattern - Update title
  • update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
  • update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
  • update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
  • update: HackTool - winPEAS Execution - Add additional image names for winPEAS
  • update: LSASS Access From Potentially White-Listed Processes - Update title and description
  • update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
  • update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
  • update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
  • update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
  • update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
  • update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
  • update: Potential Operation Triangulation C2 Beaconing Activity - DNS - Add related ATT&CK group tag
  • update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
  • update: Potential Process Hollowing Activity - Update FP filter
  • update: Potential Shellcode Injection - Update title and enhance false positive filter
  • update: Potentially Suspicious GrantedAccess Flags On LSASS -
  • update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
  • update: Suspicious Chromium Browser Instance Executed With Custom Extension - Fix typo in the rule title and description
  • update: Suspicious DNS Query for IP Lookup Service APIs - add several external IP lookup services to existing list
  • update: Suspicious Network Connection to IP Lookup Service APIs - add several external IP lookup services to existing list
  • update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
  • update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
  • update: Wusa.EXE Extracting Cab Files From Suspicious Paths - Tune the list of paths to be less FP prone

Removed / Deprecated Rules

  • remove: Credential Dumping Tools Accessing LSASS Memory

Fixed Rules

  • fix: File or Folder Permissions Modifications - FPs with partial paths
  • fix: Import New Module Via PowerShell CommandLine - Fix typo in condition
  • fix: Mint Sandstorm - Log4J Wstomcat Process Execution - Add missing filter
  • fix: Potential NT API Stub Patching - Tune FP filter
  • fix: WMI Module Loaded By Non Uncommon Process - Fix typo in the rule filter

Acknowledgement

Thanks to @0x616c6578, @AaronHoffmannRL, @bohops, @EzLucky, @frack113, @himynamesdave, @joshnck, @nasbench, @netgrain, @phantinuss, @qasimqlf, @skaynum, @StevenD33, @swachchhanda000, @ts-lbf, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

himynamesdave, nasbench, and 14 other contributors
Assets 7