Sigma Rule Update (2025-08-17 20:15:09) (#93)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
2025-12-08 02:02:56 +01:00 · 2025-08-17 20:15:15 +00:00
parent bf52184176
commit 8e24e6aa82
1 changed files with 17 additions and 0 deletions
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -33964,6 +33964,23 @@
    ],
    "title": "Potential Exploitation of RCE Vulnerability CVE-2025-33053"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.\nCVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "acecfe24-cf2a-2635-dded-a45c357eea3f",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators"
+  },
  {
    "category": "process_creation",
    "channel": [