CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-03-23 21:12:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2026-03-01 20:19:02) (#268)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2026-03-01 20:19:08 +00:00
committed by GitHub
parent eda06b901e
commit 0fe9ec0e59
1 changed files with 231 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

387
config/security_rules.json
View File

@@ -360,8 +360,8 @@
"T1570",
"TA0002",
"T1569.002",
"T1021",
"T1569"
"T1569",
"T1021"
],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
@@ -1646,8 +1646,8 @@
"T1218.011",
"car.2013-10-002",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Sofacy Trojan Loader Activity"
},
@@ -1726,9 +1726,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1071",
"T1053",
"T1071"
"T1543"
],
"title": "OilRig APT Registry Persistence"
},
@@ -1760,9 +1760,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071"
"T1071",
"T1053"
],
"title": "OilRig APT Activity"
},
@@ -1792,8 +1792,8 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1053",
"T1543",
"T1071"
],
"title": "OilRig APT Schedule Task Persistence - System"
@@ -1827,9 +1827,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071",
"T1053"
"T1071"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -2993,8 +2993,8 @@
"T1543.003",
"T1569.002",
"detection.emerging-threats",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "CosmicDuke Service Installation"
},
@@ -3103,8 +3103,8 @@
"T1566.001",
"cve.2017-8759",
"detection.emerging-threats",
"T1566",
"T1204"
"T1204",
"T1566"
],
"title": "Exploit for CVE-2017-8759"
},
@@ -3329,8 +3329,8 @@
"T1053.005",
"T1027",
"detection.emerging-threats",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Turla Group Commands May 2020"
},
@@ -3960,8 +3960,8 @@
"T1059.001",
"T1218.005",
"detection.emerging-threats",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "Potential Baby Shark Malware Activity"
},
@@ -4259,9 +4259,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1036",
"T1059",
"T1036"
"T1053"
],
"title": "Operation Wocao Activity - Security"
},
@@ -4292,9 +4292,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1059",
"T1036",
"T1053",
"T1059"
"T1053"
],
"title": "Operation Wocao Activity"
},
@@ -6856,8 +6856,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1204",
"T1553"
"T1553",
"T1204"
],
"title": "Windows AppX Deployment Full Trust Package Installation"
},
@@ -7443,8 +7443,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "New Lolbin Process by Office Applications"
},
@@ -8023,8 +8023,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1552",
"T1564"
"T1564",
"T1552"
],
"title": "Abusing Findstr for Defense Evasion"
},
@@ -8153,6 +8153,25 @@
],
"title": "Netcat The Powershell Version - PowerShell Module"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.",
"event_ids": [
"4104"
],
"id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0010"
],
"title": "Suspicious PowerShell Mailbox SMTP Forward Rule"
},
{
"category": "process_creation",
"channel": [
@@ -8714,8 +8733,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
@@ -10263,8 +10282,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "ProcessHacker Privilege Elevation"
},
@@ -10517,8 +10536,8 @@
"TA0002",
"T1543.003",
"T1569.002",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "Remote Access Tool Services Have Been Installed - System"
},
@@ -10667,9 +10686,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1021",
"T1543",
"T1569",
"T1543"
"T1021"
],
"title": "CobaltStrike Service Installations - System"
},
@@ -11004,8 +11023,8 @@
"TA0002",
"T1021.002",
"T1569.002",
"T1569",
"T1021"
"T1021",
"T1569"
],
"title": "smbexec.py Service Installation"
},
@@ -11910,8 +11929,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1543",
"T1021",
"T1543",
"T1569"
],
"title": "CobaltStrike Service Installations - Security"
@@ -14447,8 +14466,8 @@
"T1087.002",
"T1069.002",
"attack.s0039",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "Reconnaissance Activity"
},
@@ -14973,8 +14992,8 @@
"T1059.005",
"T1059.006",
"T1059.007",
"T1059",
"T1204"
"T1204",
"T1059"
],
"title": "AppLocker Prevented Application or Script from Running"
},
@@ -16022,8 +16041,8 @@
"T1059.001",
"TA0008",
"T1021.003",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Suspicious Non PowerShell WSMAN COM Provider"
},
@@ -16180,8 +16199,8 @@
"TA0005",
"T1059.001",
"T1036.003",
"T1059",
"T1036"
"T1036",
"T1059"
],
"title": "Renamed Powershell Under Powershell Channel"
},
@@ -18077,25 +18096,6 @@
],
"title": "Disable Powershell Command History"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.",
"event_ids": [
"4104"
],
"id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0010"
],
"title": "Suspicious PowerShell Mailbox SMTP Forward Rule"
},
{
"category": "ps_script",
"channel": [
@@ -18936,8 +18936,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - Rubeus Execution - ScriptBlock"
},
@@ -19107,8 +19107,8 @@
"T1059.001",
"TA0003",
"T1136.001",
"T1059",
"T1136"
"T1136",
"T1059"
],
"title": "PowerShell Create Local User"
},
@@ -20679,8 +20679,8 @@
"T1070.001",
"T1562.002",
"car.2016-04-002",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Eventlog Clearing or Configuration Change Activity"
},
@@ -21152,8 +21152,8 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1218",
"T1027",
"T1218",
"T1059"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
@@ -22467,9 +22467,9 @@
"TA0011",
"T1071.004",
"T1132.001",
"T1132",
"T1048",
"T1071",
"T1132"
"T1071"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
@@ -22700,12 +22700,12 @@
"T1547.002",
"T1557",
"T1082",
"T1505",
"T1564",
"T1547",
"T1564",
"T1505",
"T1546",
"T1574",
"T1556"
"T1556",
"T1574"
],
"title": "Potential Suspicious Activity Using SeCEdit"
},
@@ -22819,8 +22819,8 @@
"T1087.002",
"T1482",
"T1069.002",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Renamed AdFind Execution"
},
@@ -23782,8 +23782,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1027",
"T1204"
"T1204",
"T1027"
],
"title": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix"
},
@@ -25294,8 +25294,8 @@
"T1615",
"T1569.002",
"T1574.005",
"T1574",
"T1569"
"T1569",
"T1574"
],
"title": "HackTool - SharpUp PrivEsc Tool Execution"
},
@@ -26661,8 +26661,8 @@
"T1563.002",
"T1021.001",
"car.2013-07-002",
"T1563",
"T1021"
"T1021",
"T1563"
],
"title": "Suspicious RDP Redirect Using TSCON"
},
@@ -28324,8 +28324,8 @@
"T1548.002",
"T1546.001",
"T1112",
"T1546",
"T1548"
"T1548",
"T1546"
],
"title": "Registry Modification of MS-settings Protocol Handler"
},
@@ -29039,8 +29039,8 @@
"TA0008",
"T1059.001",
"T1021.006",
"T1021",
"T1059"
"T1059",
"T1021"
],
"title": "Remote PowerShell Session Host Process (WinRM)"
},
@@ -30026,8 +30026,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
},
@@ -30331,8 +30331,8 @@
"T1059.003",
"TA0005",
"T1027.010",
"T1027",
"T1059"
"T1059",
"T1027"
],
"title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD"
},
@@ -32110,8 +32110,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious Microsoft Office Child Process"
},
@@ -32135,8 +32135,8 @@
"T1587.001",
"TA0002",
"T1569.002",
"T1569",
"T1587"
"T1587",
"T1569"
],
"title": "PUA - CsExec Execution"
},
@@ -32801,6 +32801,28 @@
],
"title": "Arbitrary File Download Via MSEDGE_PROXY.EXE"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the usage of Reg.Exe to query system language settings.\nAttackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,\nor avoid targeting certain locales to evade detection.\n",
"event_ids": [
"4688"
],
"id": "3cc0755e-7a33-d5c1-d1cc-53a49707ca49",
"level": "medium",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0007",
"T1614.001",
"T1614"
],
"title": "System Language Discovery via Reg.Exe"
},
{
"category": "process_creation",
"channel": [
@@ -35101,9 +35123,9 @@
"T1069.002",
"TA0002",
"T1059.001",
"T1059",
"T1087",
"T1069"
"T1069",
"T1059"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
},
@@ -36207,8 +36229,8 @@
"TA0005",
"T1059.001",
"T1564.003",
"T1564",
"T1059"
"T1059",
"T1564"
],
"title": "HackTool - Covenant PowerShell Launcher"
},
@@ -36360,8 +36382,8 @@
"TA0005",
"T1548.002",
"T1218.003",
"T1548",
"T1218"
"T1218",
"T1548"
],
"title": "Bypass UAC via CMSTP"
},
@@ -36408,8 +36430,8 @@
"T1570",
"TA0002",
"T1569.002",
"T1021",
"T1569"
"T1569",
"T1021"
],
"title": "Rundll32 Execution Without Parameters"
},
@@ -36924,8 +36946,8 @@
"TA0002",
"T1059.001",
"T1562.001",
"T1059",
"T1562"
"T1562",
"T1059"
],
"title": "Obfuscated PowerShell OneLiner Execution"
},
@@ -37195,8 +37217,8 @@
"TA0004",
"T1543.003",
"T1562.001",
"T1543",
"T1562"
"T1562",
"T1543"
],
"title": "Devcon Execution Disabling VMware VMCI Device"
},
@@ -37358,8 +37380,8 @@
"TA0005",
"T1036.004",
"T1036.005",
"T1053",
"T1036"
"T1036",
"T1053"
],
"title": "Scheduled Task Creation Masquerading as System Processes"
},
@@ -38137,8 +38159,8 @@
"car.2013-08-001",
"T1053.005",
"T1059.001",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
},
@@ -38856,8 +38878,8 @@
"TA0005",
"T1562.001",
"T1070.001",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
},
@@ -39170,8 +39192,8 @@
"TA0004",
"T1036.003",
"T1053.005",
"T1036",
"T1053"
"T1053",
"T1036"
],
"title": "Renamed Schtasks Execution"
},
@@ -39766,8 +39788,8 @@
"T1106",
"T1059.003",
"T1218.011",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
@@ -39905,8 +39927,8 @@
"T1218.014",
"T1036.002",
"T1218",
"T1036",
"T1204"
"T1204",
"T1036"
],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
},
@@ -41356,8 +41378,8 @@
"T1218.011",
"TA0006",
"T1003.001",
"T1218",
"T1003"
"T1003",
"T1218"
],
"title": "Process Access via TrolleyExpress Exclusion"
},
@@ -42317,8 +42339,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1558",
"T1550"
"T1550",
"T1558"
],
"title": "HackTool - Rubeus Execution"
},
@@ -42451,8 +42473,8 @@
"T1218.007",
"TA0002",
"T1059.001",
"T1059",
"T1027",
"T1059",
"T1218"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
@@ -42866,8 +42888,8 @@
"T1203",
"T1059.003",
"attack.g0032",
"T1566",
"T1059"
"T1059",
"T1566"
],
"title": "Suspicious HWP Sub Processes"
},
@@ -43655,8 +43677,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - KrbRelayUp Execution"
},
@@ -43767,8 +43789,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Scheduled Task Executing Encoded Payload from Registry"
},
@@ -43877,8 +43899,8 @@
"T1059.001",
"T1059.003",
"T1564.003",
"T1059",
"T1564"
"T1564",
"T1059"
],
"title": "Powershell Executed From Headless ConHost Process"
},
@@ -44925,8 +44947,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Suspicious Schtasks Execution AppData Folder"
},
@@ -45044,8 +45066,8 @@
"TA0004",
"T1548.002",
"T1546.001",
"T1548",
"T1546"
"T1546",
"T1548"
],
"title": "Shell Open Registry Keys Manipulation"
},
@@ -46020,8 +46042,8 @@
"TA0003",
"T1547.001",
"T1546.009",
"T1546",
"T1547"
"T1547",
"T1546"
],
"title": "Session Manager Autorun Keys Modification"
},
@@ -47409,9 +47431,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1021",
"T1543",
"T1569",
"T1021"
"T1569"
],
"title": "Potential CobaltStrike Service Installations - Registry"
},
@@ -48787,8 +48809,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1204",
"T1027"
"T1027",
"T1204"
],
"title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix"
},
@@ -49296,8 +49318,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1027",
"T1204"
"T1204",
"T1027"
],
"title": "Suspicious Space Characters in TypedPaths Registry Path - FileFix"
},
@@ -50614,6 +50636,32 @@
],
"title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.\nThe usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.\nAnalysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.\n",
"event_ids": [
"4104"
],
"id": "e95a1630-e48b-41c3-b2ca-2bd6f33e1bce",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0005",
"T1564.008",
"TA0010",
"TA0009",
"T1114.003",
"detection.threat-hunting",
"T1564",
"T1114"
],
"title": "Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet"
},
{
"category": "ps_script",
"channel": [
@@ -50726,6 +50774,33 @@
],
"title": "Powershell Token Obfuscation - Powershell"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet",
"event_ids": [
"4104"
],
"id": "cdb585a5-4a75-4c21-26d3-0bab43ffbde1",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0009",
"T1114.003",
"TA0005",
"T1564.008",
"TA0010",
"T1020",
"detection.threat-hunting",
"T1564",
"T1114"
],
"title": "Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet"
},
{
"category": "ps_script",
"channel": [
@@ -51343,8 +51418,8 @@
"attack.s0039",
"detection.threat-hunting",
"T1069",
"T1021",
"T1087"
"T1087",
"T1021"
],
"title": "Net.EXE Execution"
},
@@ -52130,8 +52205,8 @@
"T1547.001",
"detection.threat-hunting",
"T1059",
"T1547",
"T1027"
"T1027",
"T1547"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
@@ -53136,8 +53211,8 @@
"TA0008",
"T1563.002",
"T1021.001",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Possible RDP Hijacking"
},
@@ -54831,9 +54906,9 @@
"T1570",
"T1021.002",
"T1569.002",
"T1021",
"T1136",
"T1543",
"T1021",
"T1569"
],
"title": "PSExec Lateral Movement"