From 931bd24ebd748943d1333d4b1c1dea522d89ab5c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 4 Jul 2025 20:15:05 +0000
Subject: [PATCH] Sigma Rule Update (2025-07-04  20:14:59) (#86)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 51 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/config/security_rules.json b/config/security_rules.json
index 7a775cfa..aaf902e1 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -586,6 +586,23 @@
     ],
     "title": "Driver/DLL Installation Via Odbcconf.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "b31f0683-91b2-ad1b-a771-24124f22e83e",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Proxy Execution via Vshadow"
+  },
   {
     "category": "process_creation",
     "channel": [
@@ -11449,6 +11466,23 @@
     ],
     "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "06624157-0db4-9e8c-200f-fcfe2788d3e4",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "HackTool - Doppelanger LSASS Dumper Execution"
+  },
   {
     "category": "process_creation",
     "channel": [
@@ -13506,6 +13540,23 @@
     ],
     "title": "Start of NT Virtual DOS Machine"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "4620f95a-0964-646b-6b21-78a838f03ac3",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "HackTool - HollowReaper Execution"
+  },
   {
     "category": "process_creation",
     "channel": [