From 2e77a6ece4eeefd4d031378f8b0469b447659d12 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 25 Oct 2025 20:14:02 +0000 Subject: [PATCH] Sigma Rule Update (2025-10-25 20:13:56) (#128) Co-authored-by: YamatoSecurity --- config/security_rules.json | 247 ++++++++++++++++++++----------------- 1 file changed, 135 insertions(+), 112 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 9414f5d1..27fdb552 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -287,8 +287,8 @@ "TA0005", "T1059.001", "T1036.003", - "T1036", - "T1059" + "T1059", + "T1036" ], "title": "Renamed Powershell Under Powershell Channel" }, @@ -344,8 +344,8 @@ "T1059.001", "TA0008", "T1021.003", - "T1021", - "T1059" + "T1059", + "T1021" ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -424,8 +424,8 @@ "T1059.001", "TA0008", "T1021.006", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Remote PowerShell Session (PS Classic)" }, @@ -1902,8 +1902,8 @@ "T1059.001", "TA0003", "T1136.001", - "T1059", - "T1136" + "T1136", + "T1059" ], "title": "PowerShell Create Local User" }, @@ -2194,8 +2194,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1550", - "T1558" + "T1558", + "T1550" ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, @@ -2637,8 +2637,8 @@ "T1564.004", "TA0002", "T1059.001", - "T1059", - "T1564" + "T1564", + "T1059" ], "title": "NTFS Alternate Data Stream" }, @@ -4371,8 +4371,8 @@ "T1059.001", "TA0008", "T1021.006", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Remote PowerShell Session (PS Module)" }, @@ -5012,8 +5012,8 @@ "T1615", "T1569.002", "T1574.005", - "T1574", - "T1569" + "T1569", + "T1574" ], "title": "HackTool - SharpUp PrivEsc Tool Execution" }, @@ -5553,8 +5553,8 @@ "TA0002", "T1059.001", "T1059", - "T1218", - "T1027" + "T1027", + "T1218" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, @@ -7343,8 +7343,8 @@ "T1482", "T1069.002", "stp.1u", - "T1087", - "T1069" + "T1069", + "T1087" ], "title": "PUA - AdFind Suspicious Execution" }, @@ -7877,8 +7877,8 @@ "TA0005", "T1036.004", "T1036.005", - "T1036", - "T1053" + "T1053", + "T1036" ], "title": "Scheduled Task Creation Masquerading as System Processes" }, @@ -8579,8 +8579,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Suspicious Schtasks Execution AppData Folder" }, @@ -10798,8 +10798,8 @@ "TA0005", "T1548.002", "T1218.003", - "T1548", - "T1218" + "T1218", + "T1548" ], "title": "Bypass UAC via CMSTP" }, @@ -11017,8 +11017,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -11210,8 +11210,8 @@ "TA0011", "T1071.004", "T1132.001", - "T1071", "T1048", + "T1071", "T1132" ], "title": "DNS Exfiltration and Tunneling Tools Execution" @@ -11553,8 +11553,8 @@ "car.2013-08-001", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, @@ -12222,8 +12222,8 @@ "TA0005", "T1059.001", "T1564.003", - "T1059", - "T1564" + "T1564", + "T1059" ], "title": "HackTool - Covenant PowerShell Launcher" }, @@ -14496,6 +14496,29 @@ ], "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the Restic backup tool, which can be used for data exfiltration.\nThreat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.\nIf not legitimately used in the enterprise environment, its presence may indicate malicious activity.\n", + "event_ids": [ + "4688" + ], + "id": "7ec4822c-18de-077f-88aa-03d1ccba40b1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048", + "T1567.002", + "T1567" + ], + "title": "PUA - Restic Backup Tool Execution" + }, { "category": "process_creation", "channel": [ @@ -16277,8 +16300,8 @@ "T1059.001", "TA0005", "T1027.005", - "T1059", - "T1027" + "T1027", + "T1059" ], "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, @@ -16744,8 +16767,8 @@ "TA0004", "T1055.001", "T1218.013", - "T1055", - "T1218" + "T1218", + "T1055" ], "title": "Mavinject Inject DLL Into Running Process" }, @@ -18029,8 +18052,8 @@ "T1218.011", "TA0006", "T1003.001", - "T1003", - "T1218" + "T1218", + "T1003" ], "title": "Process Access via TrolleyExpress Exclusion" }, @@ -18723,8 +18746,8 @@ "TA0005", "T1562.001", "T1070.001", - "T1070", - "T1562" + "T1562", + "T1070" ], "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, @@ -19834,8 +19857,8 @@ "TA0008", "T1021.002", "T1218.011", - "T1021", - "T1218" + "T1218", + "T1021" ], "title": "Rundll32 UNC Path Execution" }, @@ -20859,9 +20882,9 @@ "TA0005", "T1218.014", "T1036.002", - "T1036", + "T1218", "T1204", - "T1218" + "T1036" ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" }, @@ -21395,11 +21418,11 @@ "T1557", "T1082", "T1556", - "T1574", "T1505", + "T1547", + "T1574", "T1564", - "T1546", - "T1547" + "T1546" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -22525,8 +22548,8 @@ "TA0005", "T1218.005", "T1027.004", - "T1059", "T1027", + "T1059", "T1218" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" @@ -23974,8 +23997,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1558", - "T1550" + "T1550", + "T1558" ], "title": "HackTool - KrbRelayUp Execution" }, @@ -24156,8 +24179,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Scheduled Task Executing Payload from Registry" }, @@ -24512,8 +24535,8 @@ "T1133", "T1136.001", "T1021.001", - "T1021", - "T1136" + "T1136", + "T1021" ], "title": "User Added to Remote Desktop Users Group" }, @@ -26099,8 +26122,8 @@ "T1069.002", "TA0002", "T1059.001", - "T1087", "T1069", + "T1087", "T1059" ], "title": "HackTool - Bloodhound/Sharphound Execution" @@ -28021,8 +28044,8 @@ "TA0003", "T1036.005", "T1053.005", - "T1053", - "T1036" + "T1036", + "T1053" ], "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, @@ -30864,8 +30887,8 @@ "T1059.001", "T1027.010", "detection.threat-hunting", - "T1027", - "T1059" + "T1059", + "T1027" ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -31397,9 +31420,9 @@ "T1021.002", "attack.s0039", "detection.threat-hunting", - "T1069", "T1087", - "T1021" + "T1021", + "T1069" ], "title": "Net.EXE Execution" }, @@ -32156,9 +32179,9 @@ "T1027.010", "T1547.001", "detection.threat-hunting", - "T1547", "T1027", - "T1059" + "T1059", + "T1547" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -38098,9 +38121,9 @@ "T1003.001", "car.2016-04-002", "detection.emerging-threats", - "T1003", + "T1070", "T1218", - "T1070" + "T1003" ], "title": "NotPetya Ransomware Activity" }, @@ -38435,8 +38458,8 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", "T1543", + "T1053", "T1071" ], "title": "OilRig APT Registry Persistence" @@ -38469,8 +38492,8 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", "T1543", + "T1053", "T1071" ], "title": "OilRig APT Activity" @@ -38501,9 +38524,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", + "T1543", "T1071", - "T1543" + "T1053" ], "title": "OilRig APT Schedule Task Persistence - System" }, @@ -38629,8 +38652,8 @@ "T1218.011", "car.2013-10-002", "detection.emerging-threats", - "T1218", - "T1059" + "T1059", + "T1218" ], "title": "Sofacy Trojan Loader Activity" }, @@ -39118,8 +39141,8 @@ "TA0005", "T1036.005", "detection.emerging-threats", - "T1059", - "T1036" + "T1036", + "T1059" ], "title": "Greenbug Espionage Group Indicators" }, @@ -39477,8 +39500,8 @@ "T1053.005", "T1059.006", "detection.emerging-threats", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, @@ -39624,8 +39647,8 @@ "T1053.005", "T1027", "detection.emerging-threats", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Turla Group Commands May 2020" }, @@ -40881,8 +40904,8 @@ "T1552.001", "T1003.003", "detection.emerging-threats", - "T1552", - "T1003" + "T1003", + "T1552" ], "title": "Potential Russian APT Credential Theft Activity" }, @@ -40941,9 +40964,9 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1053", + "T1059", "T1036", - "T1059" + "T1053" ], "title": "Operation Wocao Activity" }, @@ -40974,9 +40997,9 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1036", "T1053", - "T1059" + "T1059", + "T1036" ], "title": "Operation Wocao Activity - Security" }, @@ -41261,8 +41284,8 @@ "T1059.001", "attack.s0183", "detection.emerging-threats", - "T1059", - "T1071" + "T1071", + "T1059" ], "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" }, @@ -44494,9 +44517,9 @@ "T1021.002", "T1543.003", "T1569.002", - "T1543", "T1569", - "T1021" + "T1021", + "T1543" ], "title": "CobaltStrike Service Installations - Security" }, @@ -45000,8 +45023,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -45130,8 +45153,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1003", - "T1569" + "T1569", + "T1003" ], "title": "Credential Dumping Tools Service Execution - Security" }, @@ -46179,9 +46202,9 @@ "T1485", "T1553.002", "attack.s0195", - "T1027", "T1553", - "T1070" + "T1070", + "T1027" ], "title": "Potential Secure Deletion with SDelete" }, @@ -46675,8 +46698,8 @@ "T1564.004", "T1552.001", "T1105", - "T1552", - "T1564" + "T1564", + "T1552" ], "title": "Abusing Findstr for Defense Evasion" }, @@ -47701,8 +47724,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "WMI Execution Via Office Process" }, @@ -49402,8 +49425,8 @@ "TA0004", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "Sliver C2 Default Service Installation" }, @@ -49972,9 +49995,9 @@ "T1021.002", "T1543.003", "T1569.002", - "T1569", "T1021", - "T1543" + "T1543", + "T1569" ], "title": "CobaltStrike Service Installations - System" }, @@ -50143,8 +50166,8 @@ "TA0002", "T1021.002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "smbexec.py Service Installation" }, @@ -51006,8 +51029,8 @@ "car.2013-09-005", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "Malicious Service Installations" }, @@ -51118,8 +51141,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -51837,8 +51860,8 @@ "TA0008", "T1563.002", "T1021.001", - "T1021", - "T1563" + "T1563", + "T1021" ], "title": "Possible RDP Hijacking" }, @@ -53397,8 +53420,8 @@ "T1569.002", "T1136", "T1543", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "PSExec Lateral Movement" },