CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2025-07-04 20:14:59) (#86)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-07-04 20:15:05 +00:00
committed by GitHub
parent bf02a5544b
commit 931bd24ebd
1 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
config/security_rules.json
View File

@@ -586,6 +586,23 @@
],
"title": "Driver/DLL Installation Via Odbcconf.EXE"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.\n",
"event_ids": [
"4688"
],
"id": "b31f0683-91b2-ad1b-a771-24124f22e83e",
"level": "medium",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Proxy Execution via Vshadow"
},
{
"category": "process_creation",
"channel": [
@@ -11449,6 +11466,23 @@
],
"title": "Computer Discovery And Export Via Get-ADComputer Cmdlet"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods",
"event_ids": [
"4688"
],
"id": "06624157-0db4-9e8c-200f-fcfe2788d3e4",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - Doppelanger LSASS Dumper Execution"
},
{
"category": "process_creation",
"channel": [
@@ -13506,6 +13540,23 @@
],
"title": "Start of NT Virtual DOS Machine"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.\n",
"event_ids": [
"4688"
],
"id": "4620f95a-0964-646b-6b21-78a838f03ac3",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - HollowReaper Execution"
},
{
"category": "process_creation",
"channel": [