Sigma Rule Update (2025-09-23 20:14:21) (#95)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
2025-12-06 09:12:46 +01:00 · 2025-09-23 20:14:27 +00:00
parent c7aed3a238
commit b9e7a86a84
1 changed files with 102 additions and 0 deletions
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -14070,6 +14070,23 @@
    ],
    "title": "Potential Exploitation of RCE Vulnerability CVE-2025-33053"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "81ef2b50-ae07-2c4b-4242-6669c7176fec",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)"
+  },
  {
    "category": "process_creation",
    "channel": [
@@ -19496,6 +19513,23 @@
    ],
    "title": "MaxMpxCt Registry Value Changed"
  },
+  {
+    "category": "registry_set",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\nClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\nThrough the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\nsuch as one-liners that execute remotely hosted malicious files or scripts.\n",
+    "event_ids": [
+      "4657"
+    ],
+    "id": "00d744c2-1966-dcdc-2c72-3a12d7b5fd2d",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE921E-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential ClickFix Execution Pattern - Registry"
+  },
  {
    "category": "registry_set",
    "channel": [
@@ -30770,6 +30804,23 @@
    ],
    "title": "Chromium Browser Instance Executed With Custom Extension"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "d6a4c9bc-d5cf-bd43-fc5b-0a8b0a3c125f",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Suspicious Velociraptor Child Process"
+  },
  {
    "category": "process_creation",
    "channel": [
@@ -33065,6 +33116,23 @@
    ],
    "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\nThis can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "3becf1a9-6869-2795-e158-31485eae103f",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential PowerShell Console History Access Attempt via History File"
+  },
  {
    "category": "process_creation",
    "channel": [
@@ -36958,6 +37026,23 @@
    ],
    "title": "PUA - Chisel Tunneling Tool Execution"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\nThis behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\nAttackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "287709ae-0175-f8df-11fc-9ec74c46d8c9",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Registry Manipulation via WMI Stdregprov"
+  },
  {
    "category": "process_creation",
    "channel": [
@@ -40239,6 +40324,23 @@
    ],
    "title": "Windows Backup Deleted Via Wbadmin.EXE"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\nThese parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\nThis technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "7997ec07-1c34-0bba-64bc-d699a65b149f",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server"
+  },
  {
    "category": "process_creation",
    "channel": [