CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-04-13 08:11:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2026-03-31 20:36:33) (#298)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2026-03-31 20:36:40 +00:00
committed by GitHub
parent 48cae20661
commit 4203f448bd
1 changed files with 272 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

416
config/security_rules.json
View File

@@ -1918,10 +1918,10 @@
"T1570",
"T1021.002",
"T1569.002",
"T1136",
"T1543",
"T1021",
"T1569"
"T1136",
"T1569",
"T1543"
],
"title": "PSExec Lateral Movement"
},
@@ -3054,8 +3054,8 @@
"TA0002",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Remote Access Tool Services Have Been Installed - System"
},
@@ -3241,9 +3241,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1543",
"T1021",
"T1569",
"T1021"
"T1543"
],
"title": "CobaltStrike Service Installations - System"
},
@@ -3327,8 +3327,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "ProcessHacker Privilege Elevation"
},
@@ -3580,8 +3580,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Sliver C2 Default Service Installation"
},
@@ -4589,8 +4589,8 @@
"T1059.001",
"attack.s0183",
"detection.emerging-threats",
"T1071",
"T1059"
"T1059",
"T1071"
],
"title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution"
},
@@ -6176,8 +6176,8 @@
"TA0005",
"T1036.005",
"detection.emerging-threats",
"T1036",
"T1059"
"T1059",
"T1036"
],
"title": "Greenbug Espionage Group Indicators"
},
@@ -6520,8 +6520,8 @@
"T1218.011",
"car.2013-10-002",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Sofacy Trojan Loader Activity"
},
@@ -6552,8 +6552,8 @@
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1053",
"T1071"
"T1071",
"T1053"
],
"title": "OilRig APT Schedule Task Persistence - System"
},
@@ -6586,9 +6586,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1071",
"T1053",
"T1543"
"T1053"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -6621,8 +6621,8 @@
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1543",
"T1053"
"T1053",
"T1543"
],
"title": "OilRig APT Registry Persistence"
},
@@ -6654,9 +6654,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1543",
"T1053",
"T1543"
"T1071"
],
"title": "OilRig APT Activity"
},
@@ -9039,8 +9039,8 @@
"T1003.001",
"T1560.001",
"detection.emerging-threats",
"T1560",
"T1003"
"T1003",
"T1560"
],
"title": "APT31 Judgement Panda Activity"
},
@@ -9150,9 +9150,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1036",
"T1059",
"T1036"
"T1053"
],
"title": "Operation Wocao Activity - Security"
},
@@ -9176,8 +9176,8 @@
"T1552.001",
"T1003.003",
"detection.emerging-threats",
"T1552",
"T1003"
"T1003",
"T1552"
],
"title": "Potential Russian APT Credential Theft Activity"
},
@@ -9858,9 +9858,9 @@
"T1003.001",
"car.2016-04-002",
"detection.emerging-threats",
"T1218",
"T1070",
"T1003",
"T1070"
"T1218"
],
"title": "NotPetya Ransomware Activity"
},
@@ -9915,8 +9915,8 @@
"T1566.001",
"cve.2017-11882",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Droppers Exploiting CVE-2017-11882"
},
@@ -10001,8 +10001,8 @@
"T1053.005",
"T1027",
"detection.emerging-threats",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Turla Group Commands May 2020"
},
@@ -12285,8 +12285,8 @@
"T1059.001",
"TA0008",
"T1021.003",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Suspicious Non PowerShell WSMAN COM Provider"
},
@@ -12365,8 +12365,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session (PS Classic)"
},
@@ -12388,8 +12388,8 @@
"TA0005",
"T1059.001",
"T1036.003",
"T1036",
"T1059"
"T1059",
"T1036"
],
"title": "Renamed Powershell Under Powershell Channel"
},
@@ -12846,8 +12846,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session (PS Module)"
},
@@ -13721,8 +13721,8 @@
"T1059.001",
"TA0003",
"T1136.001",
"T1059",
"T1136"
"T1136",
"T1059"
],
"title": "PowerShell Create Local User"
},
@@ -14898,6 +14898,31 @@
],
"title": "PowerShell Set-Acl On Windows Folder - PsScript"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.\nThis command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\n",
"event_ids": [
"4104"
],
"id": "b9379854-8052-302f-b6c2-62a9b5250135",
"level": "low",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0004",
"TA0005",
"TA0003",
"TA0001",
"T1078.002",
"T1098",
"T1078"
],
"title": "DMSA Link Attributes Modified"
},
{
"category": "ps_script",
"channel": [
@@ -15965,6 +15990,31 @@
],
"title": "Import PowerShell Modules From Suspicious Directories"
},
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.\n",
"event_ids": [
"4104"
],
"id": "7eb149bb-0d9a-f915-d1c7-2d0de7cccc07",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0004",
"TA0001",
"TA0005",
"TA0003",
"T1078.002",
"T1098",
"T1078"
],
"title": "DMSA Service Account Created in Specific OUs - PowerShell"
},
{
"category": "ps_script",
"channel": [
@@ -16289,8 +16339,8 @@
"T1552.001",
"T1555",
"T1555.003",
"T1552",
"T1548"
"T1548",
"T1552"
],
"title": "HackTool - WinPwn Execution - ScriptBlock"
},
@@ -19503,8 +19553,8 @@
"T1553.002",
"attack.s0195",
"T1553",
"T1027",
"T1070"
"T1070",
"T1027"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -19622,8 +19672,8 @@
"T1090.002",
"T1021.001",
"car.2013-07-002",
"T1021",
"T1090"
"T1090",
"T1021"
],
"title": "RDP over Reverse SSH Tunnel WFP"
},
@@ -19672,8 +19722,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1021",
"T1543",
"T1021",
"T1569"
],
"title": "CobaltStrike Service Installations - Security"
@@ -20109,8 +20159,8 @@
"TA0004",
"T1548.002",
"T1546.001",
"T1548",
"T1546"
"T1546",
"T1548"
],
"title": "Shell Open Registry Keys Manipulation"
},
@@ -20939,8 +20989,8 @@
"T1543.003",
"T1569.002",
"T1543",
"T1569",
"T1021"
"T1021",
"T1569"
],
"title": "Potential CobaltStrike Service Installations - Registry"
},
@@ -22299,8 +22349,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1204",
"T1027"
"T1027",
"T1204"
],
"title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix"
},
@@ -23626,8 +23676,8 @@
"TA0003",
"T1547.001",
"T1546.009",
"T1547",
"T1546"
"T1546",
"T1547"
],
"title": "Session Manager Autorun Keys Modification"
},
@@ -27092,8 +27142,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Office Applications Spawning Wmi Cli Alternate"
},
@@ -27213,8 +27263,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "WMI Execution Via Office Process"
},
@@ -27631,8 +27681,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Excel Proxy Executing Regsvr32 With Payload Alternate"
},
@@ -27774,6 +27824,32 @@
],
"title": "User with Privileges Logon"
},
{
"category": "",
"channel": [
"sec"
],
"description": "Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.\nThe msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.\nAttackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.\nIt is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.\nSo, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.\n",
"event_ids": [
"5137"
],
"id": "99f71671-d872-abce-f1f0-8cf2e3ee7f57",
"level": "medium",
"service": "security",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0004",
"TA0001",
"TA0005",
"TA0003",
"T1078.002",
"T1098",
"T1078"
],
"title": "New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created"
},
{
"category": "",
"channel": [
@@ -27857,6 +27933,32 @@
],
"title": "Remote Registry Management Using Reg Utility"
},
{
"category": "",
"channel": [
"sec"
],
"description": "Detects modifications to the msDS-ManagedAccountPrecededByLink attribute, which may indicate an attempted or successful abuse of the BaD-Successor msDS-DelegatedManagedServiceAccount (DMSA) vulnerability.\nThe DMSA is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.\nChanges to this attribute by suspicious accounts or outside of normal administrative workflows are a strong signal of an attempted or successful abuse.\nIf it is indeed modified by an account that is not typically responsible for such changes, it could indicate an attempt to exploit the BaD-Successor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.\n",
"event_ids": [
"5136"
],
"id": "1acd5528-43c1-ed53-4ded-2aa1bddff1de",
"level": "medium",
"service": "security",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0004",
"TA0001",
"TA0005",
"TA0003",
"T1078.002",
"T1098",
"T1078"
],
"title": "msDS-ManagedAccountPrecededByLink Attribute Modified"
},
{
"category": "process_creation",
"channel": [
@@ -28435,8 +28537,8 @@
"TA0010",
"T1020",
"detection.threat-hunting",
"T1114",
"T1564"
"T1564",
"T1114"
],
"title": "Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet"
},
@@ -28591,8 +28693,8 @@
"T1027.010",
"T1547.001",
"detection.threat-hunting",
"T1027",
"T1059",
"T1027",
"T1547"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
@@ -29193,8 +29295,8 @@
"attack.s0039",
"detection.threat-hunting",
"T1069",
"T1021",
"T1087"
"T1087",
"T1021"
],
"title": "Net.EXE Execution"
},
@@ -30254,8 +30356,8 @@
"TA0005",
"T1219.002",
"T1036.003",
"T1036",
"T1219"
"T1219",
"T1036"
],
"title": "Remote Access Tool - Renamed MeshAgent Execution - Windows"
},
@@ -33032,8 +33134,8 @@
"T1587.001",
"TA0002",
"T1569.002",
"T1587",
"T1569"
"T1569",
"T1587"
],
"title": "PUA - CsExec Execution"
},
@@ -33526,8 +33628,8 @@
"TA0004",
"T1055.001",
"T1218.013",
"T1218",
"T1055"
"T1055",
"T1218"
],
"title": "Mavinject Inject DLL Into Running Process"
},
@@ -34595,8 +34697,8 @@
"TA0003",
"T1036.005",
"T1053.005",
"T1053",
"T1036"
"T1036",
"T1053"
],
"title": "Suspicious Scheduled Task Creation via Masqueraded XML File"
},
@@ -34734,8 +34836,8 @@
"TA0004",
"T1036.003",
"T1053.005",
"T1053",
"T1036"
"T1036",
"T1053"
],
"title": "Renamed Schtasks Execution"
},
@@ -34826,8 +34928,8 @@
"T1059.003",
"TA0005",
"T1027.010",
"T1059",
"T1027"
"T1027",
"T1059"
],
"title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD"
},
@@ -35897,6 +35999,32 @@
],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.\n",
"event_ids": [
"4688"
],
"id": "67728f40-514c-aa63-b8eb-d1537df0df30",
"level": "medium",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0004",
"TA0001",
"TA0005",
"TA0003",
"T1078.002",
"T1098",
"T1078"
],
"title": "New DMSA Service Account Created in Specific OUs"
},
{
"category": "process_creation",
"channel": [
@@ -36333,8 +36461,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious WmiPrvSE Child Process"
},
@@ -36957,8 +37085,8 @@
"T1218.011",
"TA0006",
"T1003.001",
"T1003",
"T1218"
"T1218",
"T1003"
],
"title": "Process Access via TrolleyExpress Exclusion"
},
@@ -37274,8 +37402,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Suspicious WMIC Execution Via Office Process"
},
@@ -37462,8 +37590,8 @@
"car.2013-08-001",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
},
@@ -37982,8 +38110,8 @@
"TA0004",
"T1543.003",
"T1562.001",
"T1543",
"T1562"
"T1562",
"T1543"
],
"title": "Devcon Execution Disabling VMware VMCI Device"
},
@@ -38403,8 +38531,8 @@
"T1021.004",
"TA0011",
"T1219",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "OpenEDR Spawning Command Shell"
},
@@ -39468,8 +39596,8 @@
"T1563.002",
"T1021.001",
"car.2013-07-002",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Suspicious RDP Redirect Using TSCON"
},
@@ -40446,8 +40574,8 @@
"T1570",
"TA0002",
"T1569.002",
"T1569",
"T1021"
"T1021",
"T1569"
],
"title": "Rundll32 Execution Without Parameters"
},
@@ -40652,9 +40780,9 @@
"T1218.007",
"TA0002",
"T1059.001",
"T1059",
"T1027",
"T1218"
"T1218",
"T1059"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
},
@@ -42252,8 +42380,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1552",
"T1564"
"T1564",
"T1552"
],
"title": "Insensitive Subfolder Search Via Findstr.EXE"
},
@@ -42437,8 +42565,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - KrbRelayUp Execution"
},
@@ -42807,9 +42935,9 @@
"TA0011",
"T1071.004",
"T1132.001",
"T1048",
"T1071",
"T1132"
"T1132",
"T1048"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
@@ -43409,8 +43537,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Suspicious Schtasks Execution AppData Folder"
},
@@ -43457,9 +43585,9 @@
"TA0005",
"T1218.014",
"T1036.002",
"T1036",
"T1204",
"T1218",
"T1036"
"T1218"
],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
},
@@ -43817,8 +43945,8 @@
"T1482",
"T1069.002",
"stp.1u",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "PUA - AdFind Suspicious Execution"
},
@@ -43861,8 +43989,8 @@
"TA0005",
"T1562.001",
"T1070.001",
"T1070",
"T1562"
"T1562",
"T1070"
],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
},
@@ -44995,8 +45123,8 @@
"T1562.001",
"TA0006",
"T1003.001",
"T1562",
"T1003"
"T1003",
"T1562"
],
"title": "PPL Tampering Via WerFaultSecure"
},
@@ -46121,8 +46249,8 @@
"TA0005",
"T1059.001",
"T1564.003",
"T1564",
"T1059"
"T1059",
"T1564"
],
"title": "HackTool - Covenant PowerShell Launcher"
},
@@ -47602,8 +47730,8 @@
"TA0002",
"T1059.001",
"T1087",
"T1069",
"T1059"
"T1059",
"T1069"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
},
@@ -48627,8 +48755,8 @@
"TA0003",
"T1543.003",
"T1574.011",
"T1574",
"T1543"
"T1543",
"T1574"
],
"title": "Potential Persistence Attempt Via Existing Service Tampering"
},
@@ -49285,11 +49413,11 @@
"T1547.002",
"T1557",
"T1082",
"T1556",
"T1505",
"T1574",
"T1564",
"T1547",
"T1505",
"T1556",
"T1574",
"T1546"
],
"title": "Potential Suspicious Activity Using SeCEdit"
@@ -49472,8 +49600,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1552",
"T1564"
"T1564",
"T1552"
],
"title": "Remote File Download Via Findstr.EXE"
},
@@ -49724,8 +49852,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
},
@@ -50987,8 +51115,8 @@
"T1615",
"T1569.002",
"T1574.005",
"T1574",
"T1569"
"T1569",
"T1574"
],
"title": "HackTool - SharpUp PrivEsc Tool Execution"
},
@@ -51168,8 +51296,8 @@
"T1059.001",
"T1059.003",
"T1564.003",
"T1059",
"T1564"
"T1564",
"T1059"
],
"title": "Powershell Executed From Headless ConHost Process"
},
@@ -51761,8 +51889,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Scheduled Task Executing Encoded Payload from Registry"
},
@@ -52337,9 +52465,9 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1027",
"T1059",
"T1218"
"T1218",
"T1027"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
},
@@ -53873,8 +54001,8 @@
"T1106",
"T1059.003",
"T1218.011",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
@@ -55009,8 +55137,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1553",
"T1204"
"T1204",
"T1553"
],
"title": "Windows AppX Deployment Full Trust Package Installation"
},