Skip to content

Release r2023-12-21
Compare
Choose a tag to compare
@github-actions github-actions released this 21 Dec 20:12
· 169 commits to master since this release
r2023-12-21
e052677
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Rules

  • new: Access To Potentially Sensitive Sysvol Files By Uncommon Application
  • new: Access To Sysvol Policies Share By Uncommon Process
  • new: Cloudflared Portable Execution
  • new: Cloudflared Quick Tunnel Execution
  • new: Cloudflared Tunnels Related DNS Requests
  • new: Communication To Uncommon Destination Ports
  • new: Compressed File Creation Via Tar.EXE
  • new: Compressed File Extraction Via Tar.EXE
  • new: DLL Names Used By SVR For GraphicalProton Backdoor
  • new: Enable LM Hash Storage
  • new: Enable LM Hash Storage - ProcCreation
  • new: Potential Base64 Decoded From Images
  • new: Potentially Suspicious Desktop Background Change Using Reg.EXE
  • new: Potentially Suspicious Desktop Background Change Via Registry
  • new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
  • new: Renamed Cloudflared.EXE Execution
  • new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
  • new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
  • new: System Information Discovery Using Ioreg
  • new: System Information Discovery Using sw_vers
  • new: System Information Discovery Via Wmic.EXE

Updated Rules

  • update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
  • update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
  • update: Account Created And Deleted By Non Approved Users - Add missing expand modifier
  • update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
  • update: Authentication Occuring Outside Normal Business Hours - Add missing expand modifier
  • update: Cloudflared Tunnel Connections Cleanup - Enhanced CLI flag selection to remove the unnecessary double dash
  • update: Cloudflared Tunnel Execution - Enhanced CLI flag selection to remove the unnecessary double dash
  • update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
  • update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
  • update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
  • update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
  • update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
  • update: Failed Code Integrity Checks - Reduce level to informational
  • update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
  • update: HH.EXE Execution - Reduce level to low
  • update: Interactive Logon to Server Systems - Add missing expand modifier
  • update: Locked Workstation - Reduce level to informational
  • update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
  • update: Malware User Agent
  • update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
  • update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
  • update: PUA - Nmap/Zenmap Execution - Reduce level to medium
  • update: PUA - Process Hacker Execution - Reduce level to medium
  • update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
  • update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
  • update: Potential Pass the Hash Activity - Add missing expand modifier
  • update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
  • update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
  • update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
  • update: Potential Zerologon (CVE-2020-1472) Exploitation - Add missing expand modifier
  • update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
  • update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
  • update: PowerShell Execution With Potential Decryption Capabilities
  • update: Privilege Role Elevation Not Occuring on SAW or PAW - Add missing expand modifier
  • update: Privilege Role Sign-In Outside Expected Controls - Add missing expand modifier
  • update: Privilege Role Sign-In Outside Of Normal Hours - Add missing expand modifier
  • update: Remote Registry Management Using Reg Utility - Add missing expand modifier
  • update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
  • update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
  • update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
  • update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
  • update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
  • update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
  • update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
  • update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
  • update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
  • update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e
  • update: WMI Event Consumer Created Named Pipe - Reduce leve to medium
  • update: Whoami Utility Execution - Reduce level to low
  • update: Whoami.EXE Execution With Output Option - Reduce level to medium
  • update: Windows Defender Malware Detection History Deletion - Reduce level to informational
  • update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
  • update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
  • update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
  • update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

Removed / Deprecated Rules

  • remove: Credential Dumping Tools Service Execution
  • remove: New Service Uses Double Ampersand in Path
  • remove: PowerShell Scripts Run by a Services
  • remove: Powershell File and Directory Discovery
  • remove: Security Event Log Cleared
  • remove: Suspicious Get-WmiObject
  • remove: Windows Defender Threat Detection Disabled

Fixed Rules

  • fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
  • fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
  • fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
  • fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
  • fix: Credential Manager Access By Uncommon Application - Enhance FP filters
  • fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
  • fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
  • fix: HackTool - EfsPotato Named Pipe Creation - Add exclusion for pipe names starting with \pipe\
  • fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
  • fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
  • fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
  • fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
  • fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
  • fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
  • fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
  • fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
  • fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
  • fix: Suspicious Command Patterns In Scheduled Task Creation - Fix error in modifier usage
  • fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
  • fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications
  • fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process
  • fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
  • fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
  • fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
  • fix: Unusual Parent Process For Cmd.EXE - Fix typo in wermgr process name
  • fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
  • fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
  • fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
  • fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
  • fix: title: LSASS Access From Program In Potentially Suspicious Folder - Filter out Webex binary

Acknowledgement

Thanks to @AaronS97, @AdmU3, @Blackmore-Robert, @celalettin-turgut, @frack113, @GtUGtHGtNDtEUaE, @jstnk9, @mcdave2k1, @mostafa, @nasbench, @phantinuss, @qasimqlf, @ruppde, @slincoln-aiq, @ssnkhan, @swachchhanda000, @tr0mb1r, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Contributors

mostafa, jstnk9, and 16 other contributors
Assets 7