Release r2024-05-13
github-actions
released this
13 May 17:50
·
189 commits
to master
since this release
New Rules
- new: Access To Windows Outlook Mail Files By Uncommon Application
- new: All Backups Deleted Via Wbadmin.EXE
- new: File Recovery From Backup Via Wbadmin.EXE
- new: Launch Agent/Daemon Execution Via Launchctl
- new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- new: New RDP Connection Initiated From Domain Controller
- new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
- new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- new: Potentially Suspicious Child Process Of KeyScrambler.exe
- new: Potentially Suspicious Malware Callback Communication - Linux
- new: Sensitive File Dump Via Wbadmin.EXE
- new: Sensitive File Recovery From Backup Via Wbadmin.EXE
- new: Suspicious External WebDAV Execution
- new: UAC Notification Disabled
- new: UAC Secure Desktop Prompt Disabled
Updated Rules
- update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
- update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
- update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
- update: UAC Disabled - update metadata
- update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
- update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
- update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
Removed / Deprecated Rules
- remove: Search-ms and WebDAV Suspicious Indicators in URL
Fixed Rules
- fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier
Acknowledgement
Thanks to @ahmedfarou22, @frack113, @hasselj, @joshnck, @nasbench, @pratinavchandra, @swachchhanda000 for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.