From 664745014a1b5d5293541a6e2325eaceb5f86a39 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 27 May 2025 20:15:32 +0000 Subject: [PATCH] Sigma Rule Update (2025-05-27 20:15:26) (#71) Co-authored-by: YamatoSecurity --- config/security_rules.json | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/config/security_rules.json b/config/security_rules.json index 71ec6a16..e26a1231 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -6602,6 +6602,23 @@ ], "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of reg.exe to export registry paths associated with third-party credentials.\nCredential stealers have been known to use this technique to extract sensitive information from the registry.\n", + "event_ids": [ + "4688" + ], + "id": "c870786e-ac3c-7be8-93ba-79705472c787", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "Registry Export of Third-Party Credentials" + }, { "category": "process_creation", "channel": [ @@ -27421,6 +27438,23 @@ ], "title": "NetNTLM Downgrade Attack" }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\nThis may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.\n", + "event_ids": [ + "4768" + ], + "id": "15481d86-14a7-85e7-b1a2-ff2eab19060e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "title": "Potential AS-REP Roasting via Kerberos TGT Requests" + }, { "category": "", "channel": [