From bf52184176fdbf267326966818b29cc77b02f729 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 15 Aug 2025 20:15:21 +0000
Subject: [PATCH] Sigma Rule Update (2025-08-15  20:15:15) (#92)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/config/security_rules.json b/config/security_rules.json
index 89a3bb36..e19b2d60 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -5420,7 +5420,7 @@
     "subcategory_guids": [
       "0CCE922B-69AE-11D9-BED3-505054503030"
     ],
-    "title": "Detect Virtualbox Driver Installation OR Starting Of VMs"
+    "title": "Virtualbox Driver Installation or Starting of VMs"
   },
   {
     "category": "process_creation",
@@ -9706,6 +9706,23 @@
     ],
     "title": "Python Function Execution Security Warning Disabled In Excel"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects attempts to disable windows recovery environment using Reagentc.\nReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\nIt allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "7e941643-69fc-290f-3b49-eee5d24adde8",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Windows Recovery Environment Disabled Via Reagentc"
+  },
   {
     "category": "process_creation",
     "channel": [