From c478a7e479c1b228a34a97769638a553cc667252 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Tue, 15 Jul 2025 20:16:37 +0000
Subject: [PATCH] Sigma Rule Update (2025-07-15  20:16:31) (#89)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/config/security_rules.json b/config/security_rules.json
index 283e3edf..3e5d670e 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -19633,7 +19633,7 @@
     "channel": [
       "sec"
     ],
-    "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.",
+    "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.",
     "event_ids": [
       "4688"
     ],
@@ -28184,7 +28184,7 @@
     "channel": [
       "sec"
     ],
-    "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.",
+    "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.",
     "event_ids": [
       "4688"
     ],
@@ -35064,6 +35064,23 @@
     ],
     "title": "Potential Suspicious Registry File Imported Via Reg.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "f827f8f1-fb4f-4e87-e688-b05d54c996ad",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task"
+  },
   {
     "category": "process_creation",
     "channel": [