CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-01-23 16:33:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2025-11-29 20:14:58) (#174)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-11-29 20:15:04 +00:00
committed by GitHub
parent 7cc80c3f58
commit 00db379c6b
1 changed files with 249 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

399
config/security_rules.json
View File

@@ -287,8 +287,8 @@
"TA0005",
"T1059.001",
"T1036.003",
"T1036",
"T1059"
"T1059",
"T1036"
],
"title": "Renamed Powershell Under Powershell Channel"
},
@@ -424,8 +424,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1021",
"T1059"
"T1059",
"T1021"
],
"title": "Remote PowerShell Session (PS Classic)"
},
@@ -1173,8 +1173,8 @@
"T1529",
"attack.g0091",
"attack.s0363",
"T1071",
"T1059"
"T1059",
"T1071"
],
"title": "Silence.EDA Detection"
},
@@ -1503,8 +1503,8 @@
"T1552.001",
"T1555",
"T1555.003",
"T1552",
"T1548"
"T1548",
"T1552"
],
"title": "HackTool - WinPwn Execution - ScriptBlock"
},
@@ -5015,8 +5015,8 @@
"T1615",
"T1569.002",
"T1574.005",
"T1569",
"T1574"
"T1574",
"T1569"
],
"title": "HackTool - SharpUp PrivEsc Tool Execution"
},
@@ -5555,9 +5555,9 @@
"T1218.007",
"TA0002",
"T1059.001",
"T1218",
"T1059",
"T1027",
"T1218"
"T1027"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
},
@@ -6203,8 +6203,8 @@
"TA0002",
"T1059.007",
"cve.2020-1599",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "MSHTA Execution with Suspicious File Extensions"
},
@@ -6538,8 +6538,8 @@
"T1563.002",
"T1021.001",
"car.2013-07-002",
"T1563",
"T1021"
"T1021",
"T1563"
],
"title": "Suspicious RDP Redirect Using TSCON"
},
@@ -6992,28 +6992,6 @@
],
"title": "Suspicious Splwow64 Without Params"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the \"FileFix\" social engineering technique,\nwhere users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.\nThe technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.\n",
"event_ids": [
"4688"
],
"id": "0b4162ed-2534-2656-6d4a-8d2ad218617b",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0002",
"T1204.004",
"T1204"
],
"title": "FileFix - Suspicious Child Process from Browser File Upload Abuse"
},
{
"category": "process_creation",
"channel": [
@@ -7346,8 +7324,8 @@
"T1482",
"T1069.002",
"stp.1u",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "PUA - AdFind Suspicious Execution"
},
@@ -7880,8 +7858,8 @@
"TA0005",
"T1036.004",
"T1036.005",
"T1036",
"T1053"
"T1053",
"T1036"
],
"title": "Scheduled Task Creation Masquerading as System Processes"
},
@@ -9440,8 +9418,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1564",
"T1552"
"T1552",
"T1564"
],
"title": "Remote File Download Via Findstr.EXE"
},
@@ -10172,8 +10150,8 @@
"T1562.001",
"TA0006",
"T1003.001",
"T1003",
"T1562"
"T1562",
"T1003"
],
"title": "PPL Tampering Via WerFaultSecure"
},
@@ -11069,8 +11047,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious WMIC Execution Via Office Process"
},
@@ -11262,9 +11240,9 @@
"TA0011",
"T1071.004",
"T1132.001",
"T1132",
"T1071",
"T1048"
"T1048",
"T1132"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
@@ -11810,8 +11788,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious WmiPrvSE Child Process"
},
@@ -11879,8 +11857,8 @@
"TA0002",
"T1059.001",
"T1562.001",
"T1059",
"T1562"
"T1562",
"T1059"
],
"title": "Obfuscated PowerShell OneLiner Execution"
},
@@ -13412,8 +13390,8 @@
"T1087.002",
"T1482",
"T1069.002",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Renamed AdFind Execution"
},
@@ -14351,6 +14329,28 @@
],
"title": "HackTool - SharpEvtMute Execution"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.\nThis attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,\nwhich may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.\nThe clipboard content usually contains commands that download and execute malware, such as information stealing tools.\n",
"event_ids": [
"4688"
],
"id": "39a7ff4f-7a61-5234-9aa3-5b9e4e7a5871",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0002",
"T1204.004",
"T1204"
],
"title": "Suspicious FileFix Execution Pattern"
},
{
"category": "process_creation",
"channel": [
@@ -16711,8 +16711,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Active Directory Database Snapshot Via ADExplorer"
},
@@ -18106,8 +18106,8 @@
"TA0002",
"T1552.004",
"T1059.001",
"T1552",
"T1059"
"T1059",
"T1552"
],
"title": "Certificate Exported Via PowerShell"
},
@@ -18174,8 +18174,8 @@
"T1218.011",
"TA0006",
"T1003.001",
"T1003",
"T1218"
"T1218",
"T1003"
],
"title": "Process Access via TrolleyExpress Exclusion"
},
@@ -18359,8 +18359,8 @@
"TA0003",
"T1543.003",
"T1574.011",
"T1543",
"T1574"
"T1574",
"T1543"
],
"title": "Potential Persistence Attempt Via Existing Service Tampering"
},
@@ -21004,8 +21004,8 @@
"TA0005",
"T1218.014",
"T1036.002",
"T1204",
"T1036",
"T1204",
"T1218"
],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
@@ -21135,8 +21135,8 @@
"TA0005",
"T1219.002",
"T1036.003",
"T1219",
"T1036"
"T1036",
"T1219"
],
"title": "Remote Access Tool - Renamed MeshAgent Execution - Windows"
},
@@ -21478,8 +21478,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious Microsoft Office Child Process"
},
@@ -21561,12 +21561,12 @@
"T1547.002",
"T1557",
"T1082",
"T1547",
"T1574",
"T1546",
"T1564",
"T1505",
"T1546",
"T1556",
"T1547",
"T1574"
"T1556"
],
"title": "Potential Suspicious Activity Using SeCEdit"
},
@@ -22397,8 +22397,8 @@
"TA0008",
"T1059.001",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session Host Process (WinRM)"
},
@@ -22695,9 +22695,9 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1027",
"T1218",
"T1059",
"T1218"
"T1027"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
},
@@ -23074,8 +23074,8 @@
"T1059.003",
"TA0005",
"T1027.010",
"T1027",
"T1059"
"T1059",
"T1027"
],
"title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD"
},
@@ -23884,8 +23884,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1027",
"T1204"
"T1204",
"T1027"
],
"title": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix"
},
@@ -24219,8 +24219,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1558",
"T1550"
"T1550",
"T1558"
],
"title": "HackTool - KrbRelayUp Execution"
},
@@ -24380,8 +24380,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Scheduled Task Executing Payload from Registry"
},
@@ -24760,8 +24760,8 @@
"T1133",
"T1136.001",
"T1021.001",
"T1136",
"T1021"
"T1021",
"T1136"
],
"title": "User Added to Remote Desktop Users Group"
},
@@ -25396,8 +25396,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1564",
"T1552"
"T1552",
"T1564"
],
"title": "Insensitive Subfolder Search Via Findstr.EXE"
},
@@ -28312,8 +28312,8 @@
"TA0003",
"T1036.005",
"T1053.005",
"T1036",
"T1053"
"T1053",
"T1036"
],
"title": "Suspicious Scheduled Task Creation via Masqueraded XML File"
},
@@ -28945,6 +28945,33 @@
],
"title": "Visual Studio Code Tunnel Shell Execution"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.\nOne of the very common persistence techniques is schedule malicious tasks using schtasks.exe.\nSince, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.\n",
"event_ids": [
"4688"
],
"id": "a486f17b-eaee-229e-d26a-e116c45e3988",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0005",
"TA0002",
"TA0003",
"TA0004",
"T1036.003",
"T1053.005",
"T1036",
"T1053"
],
"title": "Renamed Schtasks Execution"
},
{
"category": "process_creation",
"channel": [
@@ -30378,8 +30405,8 @@
"T1559.001",
"TA0005",
"T1218.010",
"T1559",
"T1218"
"T1218",
"T1559"
],
"title": "Network Connection Initiated By Regsvr32.EXE"
},
@@ -30494,6 +30521,31 @@
],
"title": "Outbound Network Connection Initiated By Microsoft Dialer"
},
{
"category": "network_connection",
"channel": [
"sec"
],
"description": "Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\nIn one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\nSince the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\nInvestigating such network connections can also help identify potential malicious infrastructure used by threat actors\n",
"event_ids": [
"5156"
],
"id": "a3b5d397-bb25-cb4b-faec-891a579c8a0f",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0011",
"T1071.004",
"TA0002",
"T1059.003",
"T1071",
"T1059"
],
"title": "Network Connection Initiated via Finger.EXE"
},
{
"category": "network_connection",
"channel": [
@@ -31202,8 +31254,8 @@
"T1059.001",
"T1027.010",
"detection.threat-hunting",
"T1027",
"T1059"
"T1059",
"T1027"
],
"title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
@@ -31735,9 +31787,9 @@
"T1021.002",
"attack.s0039",
"detection.threat-hunting",
"T1069",
"T1087",
"T1021",
"T1069"
"T1021"
],
"title": "Net.EXE Execution"
},
@@ -32517,8 +32569,8 @@
"T1027.010",
"T1547.001",
"detection.threat-hunting",
"T1059",
"T1547",
"T1059",
"T1027"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
@@ -34050,8 +34102,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1027",
"T1204"
"T1204",
"T1027"
],
"title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix"
},
@@ -34287,7 +34339,7 @@
"channel": [
"sec"
],
"description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.",
"description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.\n",
"event_ids": [
"4657"
],
@@ -34302,7 +34354,7 @@
"T1204.004",
"T1204"
],
"title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse"
"title": "FileFix - Command Evidence in TypedPaths"
},
{
"category": "registry_set",
@@ -37014,8 +37066,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1543",
"T1021",
"T1543",
"T1569"
],
"title": "Potential CobaltStrike Service Installations - Registry"
@@ -38356,8 +38408,8 @@
"T1566.001",
"cve.2017-8759",
"detection.emerging-threats",
"T1566",
"T1204"
"T1204",
"T1566"
],
"title": "Exploit for CVE-2017-8759"
},
@@ -38412,8 +38464,8 @@
"T1566.001",
"cve.2017-0261",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Exploit for CVE-2017-0261"
},
@@ -38470,9 +38522,9 @@
"T1003.001",
"car.2016-04-002",
"detection.emerging-threats",
"T1218",
"T1070",
"T1003",
"T1218"
"T1003"
],
"title": "NotPetya Ransomware Activity"
},
@@ -38498,8 +38550,8 @@
"T1543.003",
"T1569.002",
"detection.emerging-threats",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "CosmicDuke Service Installation"
},
@@ -38829,9 +38881,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1543",
"T1053",
"T1071"
"T1053"
],
"title": "OilRig APT Registry Persistence"
},
@@ -38895,9 +38947,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071",
"T1053"
"T1071"
],
"title": "OilRig APT Schedule Task Persistence - System"
},
@@ -39537,8 +39589,8 @@
"TA0005",
"T1036.005",
"detection.emerging-threats",
"T1036",
"T1059"
"T1059",
"T1036"
],
"title": "Greenbug Espionage Group Indicators"
},
@@ -40141,8 +40193,8 @@
"attack.s0412",
"attack.g0001",
"detection.emerging-threats",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "ZxShell Malware"
},
@@ -41155,8 +41207,8 @@
"T1059.001",
"T1218.005",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Potential Baby Shark Malware Activity"
},
@@ -41521,9 +41573,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1059",
"T1036",
"T1059"
"T1053"
],
"title": "Operation Wocao Activity"
},
@@ -41894,6 +41946,31 @@
],
"title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.\nThis tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.\n",
"event_ids": [
"4688"
],
"id": "1c8620c4-b90c-4882-5c40-7e634a10c529",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0043",
"T1595.001",
"TA0007",
"T1046",
"detection.emerging-threats",
"T1595"
],
"title": "Grixba Malware Reconnaissance Activity"
},
{
"category": "process_creation",
"channel": [
@@ -45147,8 +45224,8 @@
"T1543.003",
"T1569.002",
"T1543",
"T1021",
"T1569"
"T1569",
"T1021"
],
"title": "CobaltStrike Service Installations - Security"
},
@@ -45727,8 +45804,8 @@
"T1090.002",
"T1021.001",
"car.2013-07-002",
"T1021",
"T1090"
"T1090",
"T1021"
],
"title": "RDP over Reverse SSH Tunnel WFP"
},
@@ -45805,8 +45882,8 @@
"T1003.006",
"T1569.002",
"attack.s0005",
"T1003",
"T1569"
"T1569",
"T1003"
],
"title": "Credential Dumping Tools Service Execution - Security"
},
@@ -46881,8 +46958,8 @@
"T1087.002",
"T1069.002",
"attack.s0039",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "Reconnaissance Activity"
},
@@ -47376,8 +47453,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
@@ -47427,6 +47504,28 @@
],
"title": "Suspicious Execution of Sc to Delete AV Services"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the \"FileFix\" social engineering technique,\nwhere users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.\nThe technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.\n",
"event_ids": [
"4688"
],
"id": "0b4162ed-2534-2656-6d4a-8d2ad218617b",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0002",
"T1204.004",
"T1204"
],
"title": "FileFix - Suspicious Child Process from Browser File Upload Abuse"
},
{
"category": "process_creation",
"channel": [
@@ -47789,8 +47888,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Excel Proxy Executing Regsvr32 With Payload Alternate"
},
@@ -47949,8 +48048,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Office Applications Spawning Wmi Cli Alternate"
},
@@ -48133,8 +48232,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "New Lolbin Process by Office Applications"
},
@@ -50033,8 +50132,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Sliver C2 Default Service Installation"
},
@@ -50322,8 +50421,8 @@
"TA0002",
"T1543.003",
"T1569.002",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "Remote Access Tool Services Have Been Installed - System"
},
@@ -50690,8 +50789,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "ProcessHacker Privilege Elevation"
},
@@ -50774,8 +50873,8 @@
"TA0002",
"T1021.002",
"T1569.002",
"T1569",
"T1021"
"T1021",
"T1569"
],
"title": "smbexec.py Service Installation"
},
@@ -53969,10 +54068,10 @@
"T1570",
"T1021.002",
"T1569.002",
"T1021",
"T1569",
"T1543",
"T1136"
"T1136",
"T1021",
"T1569"
],
"title": "PSExec Lateral Movement"
},