Skip to content

Release r2024-05-13

Compare
Choose a tag to compare
@github-actions github-actions released this 13 May 17:50
· 189 commits to master since this release
ed789f5

New Rules

  • new: Access To Windows Outlook Mail Files By Uncommon Application
  • new: All Backups Deleted Via Wbadmin.EXE
  • new: File Recovery From Backup Via Wbadmin.EXE
  • new: Launch Agent/Daemon Execution Via Launchctl
  • new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
  • new: New RDP Connection Initiated From Domain Controller
  • new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  • new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  • new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
  • new: Potentially Suspicious Child Process Of KeyScrambler.exe
  • new: Potentially Suspicious Malware Callback Communication - Linux
  • new: Sensitive File Dump Via Wbadmin.EXE
  • new: Sensitive File Recovery From Backup Via Wbadmin.EXE
  • new: Suspicious External WebDAV Execution
  • new: UAC Notification Disabled
  • new: UAC Secure Desktop Prompt Disabled

Updated Rules

  • update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
  • update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
  • update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
  • update: UAC Disabled - update metadata
  • update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
  • update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
  • update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage

Removed / Deprecated Rules

  • remove: Search-ms and WebDAV Suspicious Indicators in URL

Fixed Rules

  • fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier

Acknowledgement

Thanks to @ahmedfarou22, @frack113, @hasselj, @joshnck, @nasbench, @pratinavchandra, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.