From 8d7cfe0d323f3cf57a58dea6dd0a9296efa13782 Mon Sep 17 00:00:00 2001 From: YamatoSecurity Date: Thu, 25 Dec 2025 20:16:13 +0000 Subject: [PATCH] Sigma Rule Update (2025-12-25 20:16:12) --- config/security_rules.json | 294 ++++++++++++++++++------------------- 1 file changed, 147 insertions(+), 147 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index f61c5169..4a51a5c1 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -4,7 +4,7 @@ "channel": [ "Microsoft-Windows-AppModel-Runtime/Admin" ], - "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", + "description": "Detects execution of Sysinternals tools via an AppX package.\nAttackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.\n", "event_ids": [ "201" ], @@ -287,8 +287,8 @@ "TA0005", "T1059.001", "T1036.003", - "T1059", - "T1036" + "T1036", + "T1059" ], "title": "Renamed Powershell Under Powershell Channel" }, @@ -1503,8 +1503,8 @@ "T1552.001", "T1555", "T1555.003", - "T1552", - "T1548" + "T1548", + "T1552" ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, @@ -2661,8 +2661,8 @@ "T1564.004", "TA0002", "T1059.001", - "T1059", - "T1564" + "T1564", + "T1059" ], "title": "NTFS Alternate Data Stream" }, @@ -4843,7 +4843,7 @@ "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution" ], - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "description": "Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.\n", "event_ids": [ "8004", "8007", @@ -4865,7 +4865,7 @@ "T1204", "T1059" ], - "title": "File Was Not Allowed To Run" + "title": "AppLocker Prevented Application or Script from Running" }, { "category": "", @@ -5015,8 +5015,8 @@ "T1615", "T1569.002", "T1574.005", - "T1574", - "T1569" + "T1569", + "T1574" ], "title": "HackTool - SharpUp PrivEsc Tool Execution" }, @@ -5556,8 +5556,8 @@ "TA0002", "T1059.001", "T1059", - "T1218", - "T1027" + "T1027", + "T1218" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, @@ -6203,8 +6203,8 @@ "TA0002", "T1059.007", "cve.2020-1599", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "MSHTA Execution with Suspicious File Extensions" }, @@ -6538,8 +6538,8 @@ "T1563.002", "T1021.001", "car.2013-07-002", - "T1563", - "T1021" + "T1021", + "T1563" ], "title": "Suspicious RDP Redirect Using TSCON" }, @@ -7487,8 +7487,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, @@ -7858,8 +7858,8 @@ "TA0005", "T1036.004", "T1036.005", - "T1036", - "T1053" + "T1053", + "T1036" ], "title": "Scheduled Task Creation Masquerading as System Processes" }, @@ -8560,8 +8560,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Suspicious Schtasks Execution AppData Folder" }, @@ -9418,8 +9418,8 @@ "T1564.004", "T1552.001", "T1105", - "T1564", - "T1552" + "T1552", + "T1564" ], "title": "Remote File Download Via Findstr.EXE" }, @@ -10830,8 +10830,8 @@ "TA0005", "T1548.002", "T1218.003", - "T1218", - "T1548" + "T1548", + "T1218" ], "title": "Bypass UAC via CMSTP" }, @@ -11243,8 +11243,8 @@ "T1071.004", "T1132.001", "T1071", - "T1132", - "T1048" + "T1048", + "T1132" ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -11790,8 +11790,8 @@ "T1047", "T1204.002", "T1218.010", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Suspicious WmiPrvSE Child Process" }, @@ -11860,8 +11860,8 @@ "TA0002", "T1059.001", "T1562.001", - "T1562", - "T1059" + "T1059", + "T1562" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -13393,8 +13393,8 @@ "T1087.002", "T1482", "T1069.002", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "Renamed AdFind Execution" }, @@ -13736,8 +13736,8 @@ "T1587.001", "TA0002", "T1569.002", - "T1587", - "T1569" + "T1569", + "T1587" ], "title": "PUA - CsExec Execution" }, @@ -15888,8 +15888,8 @@ "T1203", "T1059.003", "attack.g0032", - "T1059", - "T1566" + "T1566", + "T1059" ], "title": "Suspicious HWP Sub Processes" }, @@ -16894,8 +16894,8 @@ "TA0004", "T1055.001", "T1218.013", - "T1055", - "T1218" + "T1218", + "T1055" ], "title": "Mavinject Inject DLL Into Running Process" }, @@ -18386,8 +18386,8 @@ "TA0003", "T1543.003", "T1574.011", - "T1543", - "T1574" + "T1574", + "T1543" ], "title": "Potential Persistence Attempt Via Existing Service Tampering" }, @@ -21033,8 +21033,8 @@ "TA0005", "T1218.014", "T1036.002", - "T1204", "T1218", + "T1204", "T1036" ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" @@ -21590,12 +21590,12 @@ "T1547.002", "T1557", "T1082", - "T1564", + "T1556", + "T1574", + "T1505", "T1547", "T1546", - "T1505", - "T1556", - "T1574" + "T1564" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -22426,8 +22426,8 @@ "TA0008", "T1059.001", "T1021.006", - "T1021", - "T1059" + "T1059", + "T1021" ], "title": "Remote PowerShell Session Host Process (WinRM)" }, @@ -23103,8 +23103,8 @@ "T1059.003", "TA0005", "T1027.010", - "T1059", - "T1027" + "T1027", + "T1059" ], "title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD" }, @@ -24409,8 +24409,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Scheduled Task Executing Payload from Registry" }, @@ -26420,9 +26420,9 @@ "T1069.002", "TA0002", "T1059.001", + "T1069", "T1059", - "T1087", - "T1069" + "T1087" ], "title": "HackTool - Bloodhound/Sharphound Execution" }, @@ -27509,8 +27509,8 @@ "T1106", "T1059.003", "T1218.011", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, @@ -27901,8 +27901,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1558", - "T1550" + "T1550", + "T1558" ], "title": "HackTool - Rubeus Execution" }, @@ -29019,8 +29019,8 @@ "TA0004", "T1036.003", "T1053.005", - "T1036", - "T1053" + "T1053", + "T1036" ], "title": "Renamed Schtasks Execution" }, @@ -30004,7 +30004,7 @@ "channel": [ "Application" ], - "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "description": "Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).\nThis could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.\n", "event_ids": [ "1000" ], @@ -30017,7 +30017,7 @@ "T1003.001", "T1003" ], - "title": "Potential Credential Dumping Via WER - Application" + "title": "LSASS Process Crashed - Application" }, { "category": "", @@ -31830,8 +31830,8 @@ "TA0001", "TA0043", "detection.threat-hunting", - "T1598", - "T1566" + "T1566", + "T1598" ], "title": "HTML File Opened From Download Folder" }, @@ -31865,9 +31865,9 @@ "T1021.002", "attack.s0039", "detection.threat-hunting", + "T1021", "T1087", - "T1069", - "T1021" + "T1069" ], "title": "Net.EXE Execution" }, @@ -32648,8 +32648,8 @@ "T1547.001", "detection.threat-hunting", "T1027", - "T1059", - "T1547" + "T1547", + "T1059" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -33154,8 +33154,8 @@ "TA0004", "T1548.002", "T1546.001", - "T1548", - "T1546" + "T1546", + "T1548" ], "title": "Shell Open Registry Keys Manipulation" }, @@ -34180,8 +34180,8 @@ "T1204.004", "TA0005", "T1027.010", - "T1204", - "T1027" + "T1027", + "T1204" ], "title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix" }, @@ -36009,8 +36009,8 @@ "T1204.004", "TA0005", "T1027.010", - "T1027", - "T1204" + "T1204", + "T1027" ], "title": "Suspicious Space Characters in TypedPaths Registry Path - FileFix" }, @@ -37145,8 +37145,8 @@ "T1543.003", "T1569.002", "T1543", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Potential CobaltStrike Service Installations - Registry" }, @@ -38542,8 +38542,8 @@ "T1566.001", "cve.2017-0261", "detection.emerging-threats", - "T1566", - "T1204" + "T1204", + "T1566" ], "title": "Exploit for CVE-2017-0261" }, @@ -38925,9 +38925,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", + "T1053", "T1543", - "T1071", - "T1053" + "T1071" ], "title": "OilRig APT Schedule Task Persistence - Security" }, @@ -38959,9 +38959,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1071", + "T1543", "T1053", - "T1543" + "T1071" ], "title": "OilRig APT Registry Persistence" }, @@ -38994,8 +38994,8 @@ "T1071.004", "detection.emerging-threats", "T1071", - "T1543", - "T1053" + "T1053", + "T1543" ], "title": "OilRig APT Activity" }, @@ -39025,8 +39025,8 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", "T1543", + "T1053", "T1071" ], "title": "OilRig APT Schedule Task Persistence - System" @@ -39153,8 +39153,8 @@ "T1218.011", "car.2013-10-002", "detection.emerging-threats", - "T1218", - "T1059" + "T1059", + "T1218" ], "title": "Sofacy Trojan Loader Activity" }, @@ -39667,8 +39667,8 @@ "TA0005", "T1036.005", "detection.emerging-threats", - "T1036", - "T1059" + "T1059", + "T1036" ], "title": "Greenbug Espionage Group Indicators" }, @@ -41619,8 +41619,8 @@ "T1003.001", "T1560.001", "detection.emerging-threats", - "T1003", - "T1560" + "T1560", + "T1003" ], "title": "APT31 Judgement Panda Activity" }, @@ -41651,9 +41651,9 @@ "T1053.005", "T1059.001", "detection.emerging-threats", + "T1059", "T1053", - "T1036", - "T1059" + "T1036" ], "title": "Operation Wocao Activity" }, @@ -41684,8 +41684,8 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1059", "T1036", + "T1059", "T1053" ], "title": "Operation Wocao Activity - Security" @@ -42044,8 +42044,8 @@ "T1059.001", "attack.s0183", "detection.emerging-threats", - "T1059", - "T1071" + "T1071", + "T1059" ], "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" }, @@ -43728,7 +43728,7 @@ "channel": [ "Microsoft-Windows-AppXDeploymentServer/Operational" ], - "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "description": "Detects an appx package deployment that was blocked by AppLocker policy.", "event_ids": [ "412" ], @@ -43746,7 +43746,25 @@ "channel": [ "Microsoft-Windows-AppXDeploymentServer/Operational" ], - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in a known folder often used as a staging directory.\n", + "event_ids": [ + "854" + ], + "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", + "level": "high", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "AppX Located in Known Staging Directory Added to Deployment Pipeline" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package deployment / installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements.\n", "event_ids": [ "401" ], @@ -43757,32 +43775,14 @@ "tags": [ "TA0005" ], - "title": "Suspicious AppX Package Installation Attempt" + "title": "AppX Package Deployment Failed Due to Signing Requirements" }, { "category": "", "channel": [ "Microsoft-Windows-AppXDeploymentServer/Operational" ], - "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", - "event_ids": [ - "854" - ], - "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", - "level": "high", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Suspicious Remote AppX Package Locations" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package deployment that was blocked by the local computer policy", + "description": "Detects an appx package deployment that was blocked by the local computer policy.\nThe following events indicate that an AppX package deployment was blocked by a policy:\n- Event ID 441: The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy\n- Event ID 442: Deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.\"\n- Event ID 453: Package blocked by a platform policy.\n- Event ID 454: Package blocked by a platform policy.\n", "event_ids": [ "441", "442", @@ -43803,7 +43803,7 @@ "channel": [ "Microsoft-Windows-AppXDeploymentServer/Operational" ], - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in uncommon locations.\n", "event_ids": [ "854" ], @@ -43814,25 +43814,25 @@ "tags": [ "TA0005" ], - "title": "Uncommon AppX Package Locations" + "title": "AppX Located in Uncommon Directory Added to Deployment Pipeline" }, { "category": "", "channel": [ "Microsoft-Windows-AppXDeploymentServer/Operational" ], - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "description": "Detects an appx package that was added to the pipeline of the \"to be processed\" packages which was downloaded from a file sharing or CDN domain.\n", "event_ids": [ "854" ], - "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", + "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", "level": "high", "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ "TA0005" ], - "title": "Suspicious AppX Package Locations" + "title": "Remote AppX Package Downloaded from File Sharing or CDN Domain" }, { "category": "", @@ -45855,8 +45855,8 @@ "T1570", "TA0002", "T1569.002", - "T1021", - "T1569" + "T1569", + "T1021" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -47011,9 +47011,9 @@ "T1485", "T1553.002", "attack.s0195", - "T1027", + "T1070", "T1553", - "T1070" + "T1027" ], "title": "Potential Secure Deletion with SDelete" }, @@ -47507,8 +47507,8 @@ "T1564.004", "T1552.001", "T1105", - "T1552", - "T1564" + "T1564", + "T1552" ], "title": "Abusing Findstr for Defense Evasion" }, @@ -48555,8 +48555,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "WMI Execution Via Office Process" }, @@ -50235,8 +50235,8 @@ "TA0004", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "Sliver C2 Default Service Installation" }, @@ -50805,9 +50805,9 @@ "T1021.002", "T1543.003", "T1569.002", + "T1569", "T1021", - "T1543", - "T1569" + "T1543" ], "title": "CobaltStrike Service Installations - System" }, @@ -50892,8 +50892,8 @@ "TA0004", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "ProcessHacker Privilege Elevation" }, @@ -50976,8 +50976,8 @@ "TA0002", "T1021.002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "smbexec.py Service Installation" }, @@ -51782,8 +51782,8 @@ "car.2013-09-005", "T1543.003", "T1569.002", - "T1569", - "T1543" + "T1543", + "T1569" ], "title": "Malicious Service Installations" }, @@ -51894,8 +51894,8 @@ "T1570", "TA0002", "T1569.002", - "T1021", - "T1569" + "T1569", + "T1021" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -54171,9 +54171,9 @@ "T1570", "T1021.002", "T1569.002", - "T1021", - "T1569", "T1543", + "T1569", + "T1021", "T1136" ], "title": "PSExec Lateral Movement"