CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-05-09 04:42:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2026-04-24 20:39:19) (#322)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2026-04-24 20:39:26 +00:00
committed by GitHub
parent e28644c57b
commit 59feb924cf
1 changed files with 187 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/security_rules.json
+187 -139
View File
@@ -210,8 +210,8 @@
"car.2013-09-005",
"T1543.003",
"T1569.002",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "Malicious Service Installations"
},
@@ -1433,8 +1433,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1564",
"T1552"
"T1552",
"T1564"
],
"title": "Remote File Download Via Findstr.EXE"
},
@@ -2666,8 +2666,8 @@
"TA0002",
"T1059.007",
"cve.2020-1599",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "MSHTA Execution with Suspicious File Extensions"
},
@@ -3449,8 +3449,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Scheduled Task Executing Payload from Registry"
},
@@ -4018,8 +4018,8 @@
"TA0004",
"T1055.001",
"T1218.013",
"T1218",
"T1055"
"T1055",
"T1218"
],
"title": "Mavinject Inject DLL Into Running Process"
},
@@ -7485,8 +7485,8 @@
"TA0004",
"T1543.003",
"T1562.001",
"T1562",
"T1543"
"T1543",
"T1562"
],
"title": "Devcon Execution Disabling VMware VMCI Device"
},
@@ -8017,8 +8017,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - KrbRelayUp Execution"
},
@@ -8383,8 +8383,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
},
@@ -8629,9 +8629,9 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1027",
"T1059",
"T1218",
"T1059"
"T1027"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
},
@@ -8772,9 +8772,9 @@
"T1218.007",
"TA0002",
"T1059.001",
"T1027",
"T1218",
"T1059"
"T1059",
"T1027"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
},
@@ -9087,8 +9087,8 @@
"T1087.002",
"T1482",
"T1069.002",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Renamed AdFind Execution"
},
@@ -10760,8 +10760,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Active Directory Database Snapshot Via ADExplorer"
},
@@ -12381,8 +12381,8 @@
"T1587.001",
"TA0002",
"T1569.002",
"T1569",
"T1587"
"T1587",
"T1569"
],
"title": "PUA - CsExec Execution"
},
@@ -13304,6 +13304,31 @@
],
"title": "Suspicious Greedy Compression Using Rar.EXE"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects Python one-liners that use base64 decoding functions in command line executions.\nMalicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.\n",
"event_ids": [
"4688"
],
"id": "89d785d7-fec2-209e-53a3-19a670b7e0ea",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0002",
"T1059.006",
"TA0005",
"T1027.010",
"T1059",
"T1027"
],
"title": "Python One-Liners with Base64 Decoding"
},
{
"category": "process_creation",
"channel": [
@@ -14397,8 +14422,8 @@
"T1059.001",
"T1059.003",
"T1564.003",
"T1564",
"T1059"
"T1059",
"T1564"
],
"title": "Powershell Executed From Headless ConHost Process"
},
@@ -16375,8 +16400,8 @@
"T1570",
"TA0002",
"T1569.002",
"T1569",
"T1021"
"T1021",
"T1569"
],
"title": "Rundll32 Execution Without Parameters"
},
@@ -16830,8 +16855,8 @@
"T1069.002",
"TA0002",
"T1059.001",
"T1087",
"T1069",
"T1087",
"T1059"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
@@ -16991,8 +17016,8 @@
"T1552.001",
"T1555",
"T1555.003",
"T1548",
"T1552"
"T1552",
"T1548"
],
"title": "HackTool - WinPwn Execution"
},
@@ -17550,6 +17575,29 @@
],
"title": "Suspicious Microsoft Office Child Process"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects execution of the hacktool NetExec.\nNetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration\nIn enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.\nThreat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.\n",
"event_ids": [
"4688"
],
"id": "837269f1-83f1-229a-c835-4371ad44e510",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0007",
"T1018",
"TA0008",
"T1021"
],
"title": "HackTool - NetExec Execution"
},
{
"category": "process_creation",
"channel": [
@@ -18916,8 +18964,8 @@
"T1021.004",
"TA0011",
"T1219",
"T1021",
"T1059"
"T1059",
"T1021"
],
"title": "OpenEDR Spawning Command Shell"
},
@@ -19339,8 +19387,8 @@
"TA0008",
"T1059.001",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session Host Process (WinRM)"
},
@@ -19568,12 +19616,12 @@
"T1547.002",
"T1557",
"T1082",
"T1574",
"T1547",
"T1564",
"T1505",
"T1574",
"T1556",
"T1546"
"T1546",
"T1505"
],
"title": "Potential Suspicious Activity Using SeCEdit"
},
@@ -20106,8 +20154,8 @@
"T1106",
"T1059.003",
"T1218.011",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
@@ -20381,8 +20429,8 @@
"T1059.001",
"TA0005",
"T1027.005",
"T1027",
"T1059"
"T1059",
"T1027"
],
"title": "HackTool - CrackMapExec PowerShell Obfuscation"
},
@@ -21443,8 +21491,8 @@
"TA0005",
"T1219.002",
"T1036.003",
"T1219",
"T1036"
"T1036",
"T1219"
],
"title": "Remote Access Tool - Renamed MeshAgent Execution - Windows"
},
@@ -24375,8 +24423,8 @@
"T1070.001",
"T1562.002",
"car.2016-04-002",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Eventlog Clearing or Configuration Change Activity"
},
@@ -24581,8 +24629,8 @@
"T1203",
"T1059.003",
"attack.g0032",
"T1059",
"T1566"
"T1566",
"T1059"
],
"title": "Suspicious HWP Sub Processes"
},
@@ -26173,8 +26221,8 @@
"T1053.005",
"T1027",
"detection.emerging-threats",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Turla Group Commands May 2020"
},
@@ -28268,8 +28316,8 @@
"T1059.001",
"T1218.005",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Potential Baby Shark Malware Activity"
},
@@ -28364,8 +28412,8 @@
"T1003.001",
"T1560.001",
"detection.emerging-threats",
"T1003",
"T1560"
"T1560",
"T1003"
],
"title": "APT31 Judgement Panda Activity"
},
@@ -28389,8 +28437,8 @@
"T1552.001",
"T1003.003",
"detection.emerging-threats",
"T1003",
"T1552"
"T1552",
"T1003"
],
"title": "Potential Russian APT Credential Theft Activity"
},
@@ -28501,9 +28549,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1036",
"T1059",
"T1053",
"T1059"
"T1036"
],
"title": "Operation Wocao Activity - Security"
},
@@ -28530,8 +28578,8 @@
"T1566.001",
"cve.2017-0261",
"detection.emerging-threats",
"T1566",
"T1204"
"T1204",
"T1566"
],
"title": "Exploit for CVE-2017-0261"
},
@@ -28558,8 +28606,8 @@
"T1566.001",
"cve.2017-11882",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Droppers Exploiting CVE-2017-11882"
},
@@ -28613,8 +28661,8 @@
"T1543.003",
"T1569.002",
"detection.emerging-threats",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "CosmicDuke Service Installation"
},
@@ -28694,9 +28742,9 @@
"T1003.001",
"car.2016-04-002",
"detection.emerging-threats",
"T1070",
"T1218",
"T1003",
"T1070"
"T1003"
],
"title": "NotPetya Ransomware Activity"
},
@@ -29117,8 +29165,8 @@
"T1053.005",
"T1059.006",
"detection.emerging-threats",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Serpent Backdoor Payload Execution Via Scheduled Task"
},
@@ -29998,8 +30046,8 @@
"T1218.011",
"car.2013-10-002",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Sofacy Trojan Loader Activity"
},
@@ -30077,9 +30125,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1053",
"T1543",
"T1071"
"T1543"
],
"title": "OilRig APT Activity"
},
@@ -30112,9 +30160,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1071",
"T1053",
"T1543"
"T1053"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -30146,9 +30194,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071",
"T1053"
"T1071"
],
"title": "OilRig APT Registry Persistence"
},
@@ -30178,9 +30226,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071"
"T1071",
"T1053"
],
"title": "OilRig APT Schedule Task Persistence - System"
},
@@ -31343,8 +31391,8 @@
"TA0004",
"T1548.002",
"T1546.001",
"T1546",
"T1548"
"T1548",
"T1546"
],
"title": "Shell Open Registry Keys Manipulation"
},
@@ -31867,8 +31915,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1204",
"T1027"
"T1027",
"T1204"
],
"title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix"
},
@@ -33177,8 +33225,8 @@
"TA0003",
"T1548.002",
"T1546.001",
"T1546",
"T1548"
"T1548",
"T1546"
],
"title": "Suspicious Shell Open Command Registry Modification"
},
@@ -34160,8 +34208,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1021",
"T1569",
"T1021",
"T1543"
],
"title": "Potential CobaltStrike Service Installations - Registry"
@@ -35358,8 +35406,8 @@
"TA0003",
"T1547.001",
"T1546.009",
"T1547",
"T1546"
"T1546",
"T1547"
],
"title": "Session Manager Autorun Keys Modification"
},
@@ -36895,8 +36943,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - Rubeus Execution - ScriptBlock"
},
@@ -39664,8 +39712,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session (PS Classic)"
},
@@ -39726,8 +39774,8 @@
"TA0005",
"T1059.001",
"T1036.003",
"T1059",
"T1036"
"T1036",
"T1059"
],
"title": "Renamed Powershell Under Powershell Channel"
},
@@ -40356,8 +40404,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session (PS Module)"
},
@@ -41339,8 +41387,8 @@
"T1059.005",
"T1059.006",
"T1059.007",
"T1059",
"T1204"
"T1204",
"T1059"
],
"title": "AppLocker Prevented Application or Script from Running"
},
@@ -42576,8 +42624,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "ProcessHacker Privilege Elevation"
},
@@ -42809,9 +42857,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1569",
"T1021",
"T1543",
"T1569"
"T1543"
],
"title": "CobaltStrike Service Installations - System"
},
@@ -42990,8 +43038,8 @@
"TA0002",
"T1021.002",
"T1569.002",
"T1021",
"T1569"
"T1569",
"T1021"
],
"title": "smbexec.py Service Installation"
},
@@ -43201,8 +43249,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1543",
"T1569"
"T1569",
"T1543"
],
"title": "Sliver C2 Default Service Installation"
},
@@ -43863,8 +43911,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1204",
"T1553"
"T1553",
"T1204"
],
"title": "Windows AppX Deployment Full Trust Package Installation"
},
@@ -43886,8 +43934,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1553",
"T1204"
"T1204",
"T1553"
],
"title": "Windows AppX Deployment Unsigned Package Installation"
},
@@ -44793,8 +44841,8 @@
"T1071.004",
"TA0002",
"T1059.003",
"T1059",
"T1071"
"T1071",
"T1059"
],
"title": "Network Connection Initiated via Finger.EXE"
},
@@ -45045,8 +45093,8 @@
"TA0001",
"TA0043",
"detection.threat-hunting",
"T1566",
"T1598"
"T1598",
"T1566"
],
"title": "HTML File Opened From Download Folder"
},
@@ -45431,8 +45479,8 @@
"T1059.001",
"T1027.010",
"detection.threat-hunting",
"T1027",
"T1059"
"T1059",
"T1027"
],
"title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
@@ -45759,9 +45807,9 @@
"T1021.002",
"attack.s0039",
"detection.threat-hunting",
"T1087",
"T1069",
"T1021"
"T1021",
"T1087"
],
"title": "Net.EXE Execution"
},
@@ -46335,8 +46383,8 @@
"T1027.010",
"T1547.001",
"detection.threat-hunting",
"T1059",
"T1547",
"T1059",
"T1027"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
@@ -47021,8 +47069,8 @@
"T1087.002",
"T1069.002",
"attack.s0039",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Reconnaissance Activity"
},
@@ -47340,8 +47388,8 @@
"T1003.006",
"T1569.002",
"attack.s0005",
"T1003",
"T1569"
"T1569",
"T1003"
],
"title": "Credential Dumping Tools Service Execution - Security"
},
@@ -48007,8 +48055,8 @@
"T1090.002",
"T1021.001",
"car.2013-07-002",
"T1090",
"T1021"
"T1021",
"T1090"
],
"title": "RDP over Reverse SSH Tunnel WFP"
},
@@ -48429,8 +48477,8 @@
"T1570",
"TA0002",
"T1569.002",
"T1021",
"T1569"
"T1569",
"T1021"
],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
@@ -49373,9 +49421,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1569",
"T1021",
"T1543",
"T1569"
"T1543"
],
"title": "CobaltStrike Service Installations - Security"
},
@@ -49800,9 +49848,9 @@
"T1485",
"T1553.002",
"attack.s0195",
"T1070",
"T1553",
"T1027",
"T1553"
"T1070"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -50623,8 +50671,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
@@ -50714,8 +50762,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "New Lolbin Process by Office Applications"
},
@@ -54980,8 +55028,8 @@
"TA0008",
"T1563.002",
"T1021.001",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Possible RDP Hijacking"
},
@@ -55227,9 +55275,9 @@
"T1570",
"T1021.002",
"T1569.002",
"T1543",
"T1136",
"T1569",
"T1543",
"T1021"
],
"title": "PSExec Lateral Movement"