CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-07 09:42:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2025-10-25 20:13:56) (#128)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-10-25 20:14:02 +00:00
committed by GitHub
parent 513f5c5892
commit 2e77a6ece4
1 changed files with 135 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

247
config/security_rules.json
View File

@@ -287,8 +287,8 @@
"TA0005", "TA0005",
"T1059.001", "T1059.001",
"T1036.003", "T1036.003",
"T1036", "T1059",
"T1059" "T1036"
], ],
"title": "Renamed Powershell Under Powershell Channel" "title": "Renamed Powershell Under Powershell Channel"
}, },
@@ -344,8 +344,8 @@
"T1059.001", "T1059.001",
"TA0008", "TA0008",
"T1021.003", "T1021.003",
"T1021", "T1059",
"T1059" "T1021"
], ],
"title": "Suspicious Non PowerShell WSMAN COM Provider" "title": "Suspicious Non PowerShell WSMAN COM Provider"
}, },
@@ -424,8 +424,8 @@
"T1059.001", "T1059.001",
"TA0008", "TA0008",
"T1021.006", "T1021.006",
"T1059", "T1021",
"T1021" "T1059"
], ],
"title": "Remote PowerShell Session (PS Classic)" "title": "Remote PowerShell Session (PS Classic)"
}, },
@@ -1902,8 +1902,8 @@
"T1059.001", "T1059.001",
"TA0003", "TA0003",
"T1136.001", "T1136.001",
"T1059", "T1136",
"T1136" "T1059"
], ],
"title": "PowerShell Create Local User" "title": "PowerShell Create Local User"
}, },
@@ -2194,8 +2194,8 @@
"T1558.003", "T1558.003",
"TA0008", "TA0008",
"T1550.003", "T1550.003",
"T1550", "T1558",
"T1558" "T1550"
], ],
"title": "HackTool - Rubeus Execution - ScriptBlock" "title": "HackTool - Rubeus Execution - ScriptBlock"
}, },
@@ -2637,8 +2637,8 @@
"T1564.004", "T1564.004",
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1059", "T1564",
"T1564" "T1059"
], ],
"title": "NTFS Alternate Data Stream" "title": "NTFS Alternate Data Stream"
}, },
@@ -4371,8 +4371,8 @@
"T1059.001", "T1059.001",
"TA0008", "TA0008",
"T1021.006", "T1021.006",
"T1059", "T1021",
"T1021" "T1059"
], ],
"title": "Remote PowerShell Session (PS Module)" "title": "Remote PowerShell Session (PS Module)"
}, },
@@ -5012,8 +5012,8 @@
"T1615", "T1615",
"T1569.002", "T1569.002",
"T1574.005", "T1574.005",
"T1574", "T1569",
"T1569" "T1574"
], ],
"title": "HackTool - SharpUp PrivEsc Tool Execution" "title": "HackTool - SharpUp PrivEsc Tool Execution"
}, },
@@ -5553,8 +5553,8 @@
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1059", "T1059",
"T1218", "T1027",
"T1027" "T1218"
], ],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
}, },
@@ -7343,8 +7343,8 @@
"T1482", "T1482",
"T1069.002", "T1069.002",
"stp.1u", "stp.1u",
"T1087", "T1069",
"T1069" "T1087"
], ],
"title": "PUA - AdFind Suspicious Execution" "title": "PUA - AdFind Suspicious Execution"
}, },
@@ -7877,8 +7877,8 @@
"TA0005", "TA0005",
"T1036.004", "T1036.004",
"T1036.005", "T1036.005",
"T1036", "T1053",
"T1053" "T1036"
], ],
"title": "Scheduled Task Creation Masquerading as System Processes" "title": "Scheduled Task Creation Masquerading as System Processes"
}, },
@@ -8579,8 +8579,8 @@
"TA0003", "TA0003",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1053", "T1059",
"T1059" "T1053"
], ],
"title": "Suspicious Schtasks Execution AppData Folder" "title": "Suspicious Schtasks Execution AppData Folder"
}, },
@@ -10798,8 +10798,8 @@
"TA0005", "TA0005",
"T1548.002", "T1548.002",
"T1218.003", "T1218.003",
"T1548", "T1218",
"T1218" "T1548"
], ],
"title": "Bypass UAC via CMSTP" "title": "Bypass UAC via CMSTP"
}, },
@@ -11017,8 +11017,8 @@
"T1218.010", "T1218.010",
"TA0002", "TA0002",
"TA0005", "TA0005",
"T1218", "T1204",
"T1204" "T1218"
], ],
"title": "Suspicious WMIC Execution Via Office Process" "title": "Suspicious WMIC Execution Via Office Process"
}, },
@@ -11210,8 +11210,8 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"T1132.001", "T1132.001",
"T1071",
"T1048", "T1048",
"T1071",
"T1132" "T1132"
], ],
"title": "DNS Exfiltration and Tunneling Tools Execution" "title": "DNS Exfiltration and Tunneling Tools Execution"
@@ -11553,8 +11553,8 @@
"car.2013-08-001", "car.2013-08-001",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1059", "T1053",
"T1053" "T1059"
], ],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
}, },
@@ -12222,8 +12222,8 @@
"TA0005", "TA0005",
"T1059.001", "T1059.001",
"T1564.003", "T1564.003",
"T1059", "T1564",
"T1564" "T1059"
], ],
"title": "HackTool - Covenant PowerShell Launcher" "title": "HackTool - Covenant PowerShell Launcher"
}, },
@@ -14496,6 +14496,29 @@
], ],
"title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE"
}, },
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the execution of the Restic backup tool, which can be used for data exfiltration.\nThreat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.\nIf not legitimately used in the enterprise environment, its presence may indicate malicious activity.\n",
"event_ids": [
"4688"
],
"id": "7ec4822c-18de-077f-88aa-03d1ccba40b1",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0010",
"T1048",
"T1567.002",
"T1567"
],
"title": "PUA - Restic Backup Tool Execution"
},
{ {
"category": "process_creation", "category": "process_creation",
"channel": [ "channel": [
@@ -16277,8 +16300,8 @@
"T1059.001", "T1059.001",
"TA0005", "TA0005",
"T1027.005", "T1027.005",
"T1059", "T1027",
"T1027" "T1059"
], ],
"title": "HackTool - CrackMapExec PowerShell Obfuscation" "title": "HackTool - CrackMapExec PowerShell Obfuscation"
}, },
@@ -16744,8 +16767,8 @@
"TA0004", "TA0004",
"T1055.001", "T1055.001",
"T1218.013", "T1218.013",
"T1055", "T1218",
"T1218" "T1055"
], ],
"title": "Mavinject Inject DLL Into Running Process" "title": "Mavinject Inject DLL Into Running Process"
}, },
@@ -18029,8 +18052,8 @@
"T1218.011", "T1218.011",
"TA0006", "TA0006",
"T1003.001", "T1003.001",
"T1003", "T1218",
"T1218" "T1003"
], ],
"title": "Process Access via TrolleyExpress Exclusion" "title": "Process Access via TrolleyExpress Exclusion"
}, },
@@ -18723,8 +18746,8 @@
"TA0005", "TA0005",
"T1562.001", "T1562.001",
"T1070.001", "T1070.001",
"T1070", "T1562",
"T1562" "T1070"
], ],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
}, },
@@ -19834,8 +19857,8 @@
"TA0008", "TA0008",
"T1021.002", "T1021.002",
"T1218.011", "T1218.011",
"T1021", "T1218",
"T1218" "T1021"
], ],
"title": "Rundll32 UNC Path Execution" "title": "Rundll32 UNC Path Execution"
}, },
@@ -20859,9 +20882,9 @@
"TA0005", "TA0005",
"T1218.014", "T1218.014",
"T1036.002", "T1036.002",
"T1036", "T1218",
"T1204", "T1204",
"T1218" "T1036"
], ],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
}, },
@@ -21395,11 +21418,11 @@
"T1557", "T1557",
"T1082", "T1082",
"T1556", "T1556",
"T1574",
"T1505", "T1505",
"T1547",
"T1574",
"T1564", "T1564",
"T1546", "T1546"
"T1547"
], ],
"title": "Potential Suspicious Activity Using SeCEdit" "title": "Potential Suspicious Activity Using SeCEdit"
}, },
@@ -22525,8 +22548,8 @@
"TA0005", "TA0005",
"T1218.005", "T1218.005",
"T1027.004", "T1027.004",
"T1059",
"T1027", "T1027",
"T1059",
"T1218" "T1218"
], ],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent" "title": "Csc.EXE Execution Form Potentially Suspicious Parent"
@@ -23974,8 +23997,8 @@
"T1558.003", "T1558.003",
"TA0008", "TA0008",
"T1550.003", "T1550.003",
"T1558", "T1550",
"T1550" "T1558"
], ],
"title": "HackTool - KrbRelayUp Execution" "title": "HackTool - KrbRelayUp Execution"
}, },
@@ -24156,8 +24179,8 @@
"TA0003", "TA0003",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1059", "T1053",
"T1053" "T1059"
], ],
"title": "Scheduled Task Executing Payload from Registry" "title": "Scheduled Task Executing Payload from Registry"
}, },
@@ -24512,8 +24535,8 @@
"T1133", "T1133",
"T1136.001", "T1136.001",
"T1021.001", "T1021.001",
"T1021", "T1136",
"T1136" "T1021"
], ],
"title": "User Added to Remote Desktop Users Group" "title": "User Added to Remote Desktop Users Group"
}, },
@@ -26099,8 +26122,8 @@
"T1069.002", "T1069.002",
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1087",
"T1069", "T1069",
"T1087",
"T1059" "T1059"
], ],
"title": "HackTool - Bloodhound/Sharphound Execution" "title": "HackTool - Bloodhound/Sharphound Execution"
@@ -28021,8 +28044,8 @@
"TA0003", "TA0003",
"T1036.005", "T1036.005",
"T1053.005", "T1053.005",
"T1053", "T1036",
"T1036" "T1053"
], ],
"title": "Suspicious Scheduled Task Creation via Masqueraded XML File" "title": "Suspicious Scheduled Task Creation via Masqueraded XML File"
}, },
@@ -30864,8 +30887,8 @@
"T1059.001", "T1059.001",
"T1027.010", "T1027.010",
"detection.threat-hunting", "detection.threat-hunting",
"T1027", "T1059",
"T1059" "T1027"
], ],
"title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
}, },
@@ -31397,9 +31420,9 @@
"T1021.002", "T1021.002",
"attack.s0039", "attack.s0039",
"detection.threat-hunting", "detection.threat-hunting",
"T1069",
"T1087", "T1087",
"T1021" "T1021",
"T1069"
], ],
"title": "Net.EXE Execution" "title": "Net.EXE Execution"
}, },
@@ -32156,9 +32179,9 @@
"T1027.010", "T1027.010",
"T1547.001", "T1547.001",
"detection.threat-hunting", "detection.threat-hunting",
"T1547",
"T1027", "T1027",
"T1059" "T1059",
"T1547"
], ],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
}, },
@@ -38098,9 +38121,9 @@
"T1003.001", "T1003.001",
"car.2016-04-002", "car.2016-04-002",
"detection.emerging-threats", "detection.emerging-threats",
"T1003", "T1070",
"T1218", "T1218",
"T1070" "T1003"
], ],
"title": "NotPetya Ransomware Activity" "title": "NotPetya Ransomware Activity"
}, },
@@ -38435,8 +38458,8 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1053",
"T1543", "T1543",
"T1053",
"T1071" "T1071"
], ],
"title": "OilRig APT Registry Persistence" "title": "OilRig APT Registry Persistence"
@@ -38469,8 +38492,8 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1053",
"T1543", "T1543",
"T1053",
"T1071" "T1071"
], ],
"title": "OilRig APT Activity" "title": "OilRig APT Activity"
@@ -38501,9 +38524,9 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1053", "T1543",
"T1071", "T1071",
"T1543" "T1053"
], ],
"title": "OilRig APT Schedule Task Persistence - System" "title": "OilRig APT Schedule Task Persistence - System"
}, },
@@ -38629,8 +38652,8 @@
"T1218.011", "T1218.011",
"car.2013-10-002", "car.2013-10-002",
"detection.emerging-threats", "detection.emerging-threats",
"T1218", "T1059",
"T1059" "T1218"
], ],
"title": "Sofacy Trojan Loader Activity" "title": "Sofacy Trojan Loader Activity"
}, },
@@ -39118,8 +39141,8 @@
"TA0005", "TA0005",
"T1036.005", "T1036.005",
"detection.emerging-threats", "detection.emerging-threats",
"T1059", "T1036",
"T1036" "T1059"
], ],
"title": "Greenbug Espionage Group Indicators" "title": "Greenbug Espionage Group Indicators"
}, },
@@ -39477,8 +39500,8 @@
"T1053.005", "T1053.005",
"T1059.006", "T1059.006",
"detection.emerging-threats", "detection.emerging-threats",
"T1053", "T1059",
"T1059" "T1053"
], ],
"title": "Serpent Backdoor Payload Execution Via Scheduled Task" "title": "Serpent Backdoor Payload Execution Via Scheduled Task"
}, },
@@ -39624,8 +39647,8 @@
"T1053.005", "T1053.005",
"T1027", "T1027",
"detection.emerging-threats", "detection.emerging-threats",
"T1059", "T1053",
"T1053" "T1059"
], ],
"title": "Turla Group Commands May 2020" "title": "Turla Group Commands May 2020"
}, },
@@ -40881,8 +40904,8 @@
"T1552.001", "T1552.001",
"T1003.003", "T1003.003",
"detection.emerging-threats", "detection.emerging-threats",
"T1552", "T1003",
"T1003" "T1552"
], ],
"title": "Potential Russian APT Credential Theft Activity" "title": "Potential Russian APT Credential Theft Activity"
}, },
@@ -40941,9 +40964,9 @@
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"detection.emerging-threats", "detection.emerging-threats",
"T1053", "T1059",
"T1036", "T1036",
"T1059" "T1053"
], ],
"title": "Operation Wocao Activity" "title": "Operation Wocao Activity"
}, },
@@ -40974,9 +40997,9 @@
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"detection.emerging-threats", "detection.emerging-threats",
"T1036",
"T1053", "T1053",
"T1059" "T1059",
"T1036"
], ],
"title": "Operation Wocao Activity - Security" "title": "Operation Wocao Activity - Security"
}, },
@@ -41261,8 +41284,8 @@
"T1059.001", "T1059.001",
"attack.s0183", "attack.s0183",
"detection.emerging-threats", "detection.emerging-threats",
"T1059", "T1071",
"T1071" "T1059"
], ],
"title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution"
}, },
@@ -44494,9 +44517,9 @@
"T1021.002", "T1021.002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1543",
"T1569", "T1569",
"T1021" "T1021",
"T1543"
], ],
"title": "CobaltStrike Service Installations - Security" "title": "CobaltStrike Service Installations - Security"
}, },
@@ -45000,8 +45023,8 @@
"T1570", "T1570",
"TA0002", "TA0002",
"T1569.002", "T1569.002",
"T1569", "T1021",
"T1021" "T1569"
], ],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec" "title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
}, },
@@ -45130,8 +45153,8 @@
"T1003.006", "T1003.006",
"T1569.002", "T1569.002",
"attack.s0005", "attack.s0005",
"T1003", "T1569",
"T1569" "T1003"
], ],
"title": "Credential Dumping Tools Service Execution - Security" "title": "Credential Dumping Tools Service Execution - Security"
}, },
@@ -46179,9 +46202,9 @@
"T1485", "T1485",
"T1553.002", "T1553.002",
"attack.s0195", "attack.s0195",
"T1027",
"T1553", "T1553",
"T1070" "T1070",
"T1027"
], ],
"title": "Potential Secure Deletion with SDelete" "title": "Potential Secure Deletion with SDelete"
}, },
@@ -46675,8 +46698,8 @@
"T1564.004", "T1564.004",
"T1552.001", "T1552.001",
"T1105", "T1105",
"T1552", "T1564",
"T1564" "T1552"
], ],
"title": "Abusing Findstr for Defense Evasion" "title": "Abusing Findstr for Defense Evasion"
}, },
@@ -47701,8 +47724,8 @@
"T1218.010", "T1218.010",
"TA0002", "TA0002",
"TA0005", "TA0005",
"T1218", "T1204",
"T1204" "T1218"
], ],
"title": "WMI Execution Via Office Process" "title": "WMI Execution Via Office Process"
}, },
@@ -49402,8 +49425,8 @@
"TA0004", "TA0004",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1543", "T1569",
"T1569" "T1543"
], ],
"title": "Sliver C2 Default Service Installation" "title": "Sliver C2 Default Service Installation"
}, },
@@ -49972,9 +49995,9 @@
"T1021.002", "T1021.002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1569",
"T1021", "T1021",
"T1543" "T1543",
"T1569"
], ],
"title": "CobaltStrike Service Installations - System" "title": "CobaltStrike Service Installations - System"
}, },
@@ -50143,8 +50166,8 @@
"TA0002", "TA0002",
"T1021.002", "T1021.002",
"T1569.002", "T1569.002",
"T1569", "T1021",
"T1021" "T1569"
], ],
"title": "smbexec.py Service Installation" "title": "smbexec.py Service Installation"
}, },
@@ -51006,8 +51029,8 @@
"car.2013-09-005", "car.2013-09-005",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1543", "T1569",
"T1569" "T1543"
], ],
"title": "Malicious Service Installations" "title": "Malicious Service Installations"
}, },
@@ -51118,8 +51141,8 @@
"T1570", "T1570",
"TA0002", "TA0002",
"T1569.002", "T1569.002",
"T1569", "T1021",
"T1021" "T1569"
], ],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec" "title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
}, },
@@ -51837,8 +51860,8 @@
"TA0008", "TA0008",
"T1563.002", "T1563.002",
"T1021.001", "T1021.001",
"T1021", "T1563",
"T1563" "T1021"
], ],
"title": "Possible RDP Hijacking" "title": "Possible RDP Hijacking"
}, },
@@ -53397,8 +53420,8 @@
"T1569.002", "T1569.002",
"T1136", "T1136",
"T1543", "T1543",
"T1569", "T1021",
"T1021" "T1569"
], ],
"title": "PSExec Lateral Movement" "title": "PSExec Lateral Movement"
}, },