CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-22 17:03:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2025-07-15 20:16:31) (#89)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-07-15 20:16:37 +00:00
committed by GitHub
parent f9c6a045dd
commit c478a7e479
1 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
config/security_rules.json
View File

@@ -19633,7 +19633,7 @@
"channel": [ "channel": [
"sec" "sec"
], ],
"description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.",
"event_ids": [ "event_ids": [
"4688" "4688"
], ],
@@ -28184,7 +28184,7 @@
"channel": [ "channel": [
"sec" "sec"
], ],
"description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.",
"event_ids": [ "event_ids": [
"4688" "4688"
], ],
@@ -35064,6 +35064,23 @@
], ],
"title": "Potential Suspicious Registry File Imported Via Reg.EXE" "title": "Potential Suspicious Registry File Imported Via Reg.EXE"
}, },
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.",
"event_ids": [
"4688"
],
"id": "f827f8f1-fb4f-4e87-e688-b05d54c996ad",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task"
},
{ {
"category": "process_creation", "category": "process_creation",
"channel": [ "channel": [