From b01c018634817a050f71a8175bc480f80c68b43f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 13 Jun 2025 20:15:21 +0000 Subject: [PATCH] Sigma Rule Update (2025-06-13 20:15:14) (#80) Co-authored-by: YamatoSecurity --- config/security_rules.json | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/config/security_rules.json b/config/security_rules.json index afcbe87d..9f632b57 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -5652,6 +5652,23 @@ ], "title": "Suspicious Spool Service Child Process" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to query system information directly from the Windows Registry.", + "event_ids": [ + "4688" + ], + "id": "62c2be2f-ba0e-142b-7bf8-cf4b2b8a6bf5", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "System Information Discovery via Registry Queries" + }, { "category": "process_creation", "channel": [ @@ -17212,6 +17229,23 @@ ], "title": "Verclsid.exe Runs COM Object" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\nSuccessful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.\n", + "event_ids": [ + "4688" + ], + "id": "b0559eb5-33e0-09c4-c9bb-88007b5981ca", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "title": "HKTL - SharpSuccessor Privilege Escalation Tool Execution" + }, { "category": "process_creation", "channel": [