Sigma Rule Update (2025-07-09 20:15:35) (#87)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>

config/security_rules.json

@@ -17994,6 +17994,23 @@
     ],
     "title": "System Disk And Volume Reconnaissance Via Wmic.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\nIf you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\nor checking for the presence of such records through the `nslookup` command.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "c642ffbe-eb4e-5b90-c10a-de01f70dcb68",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing"
+  },
   {
     "category": "process_creation",
     "channel": [
@@ -24531,6 +24548,26 @@
     ],
     "title": "DCERPC SMB Spoolss Named Pipe"
   },
+  {
+    "category": "",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\nmatching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\ncommonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\nattacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\nwhere adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nPlease investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.\n",
+    "event_ids": [
+      "4662",
+      "5136",
+      "5137"
+    ],
+    "id": "19da3c91-0fcd-61d5-5b4f-bde550a79070",
+    "level": "high",
+    "service": "security",
+    "subcategory_guids": [
+      "0CCE923B-69AE-11D9-BED3-505054503030",
+      "0CCE923C-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation"
+  },
   {
     "category": "",
     "channel": [
@@ -26161,7 +26198,7 @@
     "channel": [
       "sec"
     ],
-    "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence",
+    "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence",
     "event_ids": [
       "4657"
     ],
@@ -27788,6 +27825,23 @@
     ],
     "title": "Internet Explorer DisableFirstRunCustomize Enabled"
   },
+  {
+    "category": "registry_set",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.",
+    "event_ids": [
+      "4657"
+    ],
+    "id": "57a468ba-845c-797e-81fb-79970450803a",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE921E-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse"
+  },
   {
     "category": "registry_set",
     "channel": [