Skip to content

Release r2024-12-19

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 19 Dec 19:46
· 8 commits to master since this release
e8a6894

New Rules

  • new: AWS Key Pair Import Activity
  • new: AWS SAML Provider Deletion Activity
  • new: CVE-2024-50623 Exploitation Attempt - Cleo
  • new: DNS Query Request By QuickAssist.EXE
  • new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
  • new: Modification or Deletion of an AWS RDS Cluster
  • new: New AWS Lambda Function URL Configuration Created
  • new: Potential File Extension Spoofing Using Right-to-Left Override
  • new: Potentially Suspicious Azure Front Door Connection
  • new: QuickAssist Execution
  • new: Setup16.EXE Execution With Custom .Lst File
  • new: Suspicious ShellExec_RunDLL Call Via Ordinal

Updated Rules

  • update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only
  • update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
  • update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
  • update: DNS Query To Remote Access Software Domain From Non-Browser App - Add getscreen.me
  • update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
  • update: GALLIUM IOCs - remove custom dedicated hash fields
  • update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
  • update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
  • update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
  • update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
  • update: HackTool - Impersonate Execution - remove custom dedicated hash fields
  • update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
  • update: HackTool - PCHunter Execution - remove custom dedicated hash fields
  • update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
  • update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
  • update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
  • update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
  • update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
  • update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
  • update: HackTool Named File Stream Created - remove custom dedicated hash fields
  • update: Hacktool Execution - Imphash - remove custom dedicated hash fields
  • update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
  • update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage
  • update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
  • update: MpiExec Lolbin - remove custom dedicated hash fields
  • update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
  • update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
  • update: PUA - Nimgrab Execution - remove custom dedicated hash fields
  • update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
  • update: PUA - Process Hacker Execution - remove custom dedicated hash fields
  • update: PUA - System Informer Driver Load - remove custom dedicated hash fields
  • update: PUA - System Informer Execution - remove custom dedicated hash fields
  • update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
  • update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth"
  • update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
  • update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
  • update: Potential Secure Deletion with SDelete - Enhance metadata
  • update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
  • update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
  • update: Process Discovery - Add additional processes like "htop" and "atop"
  • update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
  • update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
  • update: Renamed AdFind Execution - remove custom dedicated hash fields
  • update: Renamed AutoIt Execution - remove custom dedicated hash fields
  • update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
  • update: Renamed PAExec Execution - remove custom dedicated hash fields
  • update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last"
  • update: Terminate Linux Process Via Kill - Add "xkill"
  • update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
  • update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
  • update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
  • update: WinDivert Driver Load - remove custom dedicated hash fields

Fixed Rules

  • fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder C:\Windows\SoftwareDistribution\
  • fix: FPs with NetNTLM downgrade attack (#5108)
  • fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
  • fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
  • fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
  • fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.

Acknowledgement

Thanks to @AlbinoGazelle, @CheraghiMilad, @cod3nym, @dan21san, @djlukic, @faisalusuf, @frack113, @gregorywychowaniec-zt, @IsaacDunham, @jstnk9, @Koifman, @MalGamy12, @mgreen27, @nasbench, @Neo23x0, @randomaccess3, @saakovv, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.