Sigma Rule Update (2025-05-22 20:15:26) (#70)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
2025-12-14 21:22:51 +01:00 · 2025-05-22 20:15:32 +00:00
parent 2e5cac1820
commit e9b8d4d6cf
1 changed files with 48 additions and 16 deletions
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -5939,6 +5939,23 @@
    ],
    "title": "Uncommon Child Process Of BgInfo.EXE"
  },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "5cba86ae-86b3-1aba-fe62-8b82c1fb1f92",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "PUA - AdFind.EXE Execution"
+  },
  {
    "category": "process_creation",
    "channel": [
@@ -30749,6 +30766,22 @@
    ],
    "title": "Domain Trust Discovery"
  },
+  {
+    "category": "ps_script",
+    "channel": [
+      "pwsh",
+      "pwsh"
+    ],
+    "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil",
+    "event_ids": [
+      "4104"
+    ],
+    "id": "baee41a3-2063-6125-778e-0d9710474c06",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [],
+    "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script"
+  },
  {
    "category": "",
    "channel": [
@@ -31738,6 +31771,21 @@
    "subcategory_guids": [],
    "title": "NTLMv1 Logon Between Client and Server"
  },
+  {
+    "category": "",
+    "channel": [
+      "System"
+    ],
+    "description": "Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.",
+    "event_ids": [
+      "1001"
+    ],
+    "id": "d4ccca35-9fd6-1ed8-f5d5-84f755404fdd",
+    "level": "medium",
+    "service": "system",
+    "subcategory_guids": [],
+    "title": "Crash Dump Created By Operating System"
+  },
  {
    "category": "",
    "channel": [
@@ -33960,22 +34008,6 @@
    "subcategory_guids": [],
    "title": "WMImplant Hack Tool"
  },
-  {
-    "category": "ps_script",
-    "channel": [
-      "pwsh",
-      "pwsh"
-    ],
-    "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil",
-    "event_ids": [
-      "4104"
-    ],
-    "id": "baee41a3-2063-6125-778e-0d9710474c06",
-    "level": "high",
-    "service": "",
-    "subcategory_guids": [],
-    "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script"
-  },
  {
    "category": "ps_script",
    "channel": [