CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-01-23 16:33:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2025-11-18 20:16:48) (#160)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2025-11-18 20:16:54 +00:00
committed by GitHub
parent bf87c13a45
commit ed5bee2152
1 changed files with 121 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

239
config/security_rules.json
View File

@@ -344,8 +344,8 @@
"T1059.001",
"TA0008",
"T1021.003",
"T1021",
"T1059"
"T1059",
"T1021"
],
"title": "Suspicious Non PowerShell WSMAN COM Provider"
},
@@ -424,8 +424,8 @@
"T1059.001",
"TA0008",
"T1021.006",
"T1059",
"T1021"
"T1021",
"T1059"
],
"title": "Remote PowerShell Session (PS Classic)"
},
@@ -1902,8 +1902,8 @@
"T1059.001",
"TA0003",
"T1136.001",
"T1136",
"T1059"
"T1059",
"T1136"
],
"title": "PowerShell Create Local User"
},
@@ -2194,8 +2194,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - Rubeus Execution - ScriptBlock"
},
@@ -2637,8 +2637,8 @@
"T1564.004",
"TA0002",
"T1059.001",
"T1564",
"T1059"
"T1059",
"T1564"
],
"title": "NTFS Alternate Data Stream"
},
@@ -4991,8 +4991,8 @@
"T1615",
"T1569.002",
"T1574.005",
"T1569",
"T1574"
"T1574",
"T1569"
],
"title": "HackTool - SharpUp PrivEsc Tool Execution"
},
@@ -5532,8 +5532,8 @@
"TA0002",
"T1059.001",
"T1027",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
},
@@ -6179,8 +6179,8 @@
"TA0002",
"T1059.007",
"cve.2020-1599",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "MSHTA Execution with Suspicious File Extensions"
},
@@ -6514,8 +6514,8 @@
"T1563.002",
"T1021.001",
"car.2013-07-002",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Suspicious RDP Redirect Using TSCON"
},
@@ -7485,8 +7485,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Scheduled Task Executing Encoded Payload from Registry"
},
@@ -9416,8 +9416,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1564",
"T1552"
"T1552",
"T1564"
],
"title": "Remote File Download Via Findstr.EXE"
},
@@ -10033,8 +10033,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1069",
"T1087"
"T1087",
"T1069"
],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
},
@@ -10777,8 +10777,8 @@
"TA0005",
"T1548.002",
"T1218.003",
"T1218",
"T1548"
"T1548",
"T1218"
],
"title": "Bypass UAC via CMSTP"
},
@@ -10996,8 +10996,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Suspicious WMIC Execution Via Office Process"
},
@@ -11190,8 +11190,8 @@
"T1071.004",
"T1132.001",
"T1132",
"T1048",
"T1071"
"T1071",
"T1048"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
@@ -11737,8 +11737,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Suspicious WmiPrvSE Child Process"
},
@@ -11806,8 +11806,8 @@
"TA0002",
"T1059.001",
"T1562.001",
"T1059",
"T1562"
"T1562",
"T1059"
],
"title": "Obfuscated PowerShell OneLiner Execution"
},
@@ -16590,8 +16590,8 @@
"T1087.002",
"T1069.002",
"T1482",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Active Directory Database Snapshot Via ADExplorer"
},
@@ -17963,8 +17963,8 @@
"TA0002",
"T1552.004",
"T1059.001",
"T1059",
"T1552"
"T1552",
"T1059"
],
"title": "Certificate Exported Via PowerShell"
},
@@ -18746,8 +18746,8 @@
"TA0005",
"T1562.001",
"T1070.001",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
},
@@ -19857,8 +19857,8 @@
"TA0008",
"T1021.002",
"T1218.011",
"T1021",
"T1218"
"T1218",
"T1021"
],
"title": "Rundll32 UNC Path Execution"
},
@@ -20860,8 +20860,8 @@
"TA0005",
"T1218.014",
"T1036.002",
"T1204",
"T1218",
"T1204",
"T1036"
],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
@@ -21417,11 +21417,11 @@
"T1547.002",
"T1557",
"T1082",
"T1574",
"T1547",
"T1505",
"T1564",
"T1546",
"T1547",
"T1574",
"T1564",
"T1556"
],
"title": "Potential Suspicious Activity Using SeCEdit"
@@ -22253,8 +22253,8 @@
"TA0008",
"T1059.001",
"T1021.006",
"T1021",
"T1059"
"T1059",
"T1021"
],
"title": "Remote PowerShell Session Host Process (WinRM)"
},
@@ -22551,9 +22551,9 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1218",
"T1027",
"T1059",
"T1027"
"T1218"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
},
@@ -23690,8 +23690,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1027",
"T1204"
"T1204",
"T1027"
],
"title": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix"
},
@@ -24566,8 +24566,8 @@
"T1133",
"T1136.001",
"T1021.001",
"T1136",
"T1021"
"T1021",
"T1136"
],
"title": "User Added to Remote Desktop Users Group"
},
@@ -25202,8 +25202,8 @@
"T1564.004",
"T1552.001",
"T1105",
"T1564",
"T1552"
"T1552",
"T1564"
],
"title": "Insensitive Subfolder Search Via Findstr.EXE"
},
@@ -26174,9 +26174,9 @@
"T1069.002",
"TA0002",
"T1059.001",
"T1069",
"T1059",
"T1087",
"T1069"
"T1087"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
},
@@ -27104,8 +27104,8 @@
"T1070.001",
"T1562.002",
"car.2016-04-002",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Eventlog Clearing or Configuration Change Activity"
},
@@ -27263,8 +27263,8 @@
"T1106",
"T1059.003",
"T1218.011",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
@@ -28096,8 +28096,8 @@
"TA0003",
"T1036.005",
"T1053.005",
"T1036",
"T1053"
"T1053",
"T1036"
],
"title": "Suspicious Scheduled Task Creation via Masqueraded XML File"
},
@@ -28441,7 +28441,7 @@
"channel": [
"sec"
],
"description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n",
"description": "Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.\n",
"event_ids": [
"4688"
],
@@ -28453,9 +28453,12 @@
],
"tags": [
"TA0002",
"T1059"
"T1059",
"TA0005",
"T1222.001",
"T1222"
],
"title": "Fsutil Behavior Set SymlinkEvaluation"
"title": "Potentially Suspicious NTFS Symlink Behavior Modification"
},
{
"category": "process_creation",
@@ -32298,9 +32301,9 @@
"T1027.010",
"T1547.001",
"detection.threat-hunting",
"T1547",
"T1059",
"T1027"
"T1027",
"T1547"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
@@ -36679,8 +36682,8 @@
"T1543.003",
"T1569.002",
"T1569",
"T1021",
"T1543"
"T1543",
"T1021"
],
"title": "Potential CobaltStrike Service Installations - Registry"
},
@@ -38110,8 +38113,8 @@
"T1566.001",
"cve.2017-8759",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Exploit for CVE-2017-8759"
},
@@ -38138,8 +38141,8 @@
"T1566.001",
"cve.2017-11882",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Droppers Exploiting CVE-2017-11882"
},
@@ -38166,8 +38169,8 @@
"T1566.001",
"cve.2017-0261",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Exploit for CVE-2017-0261"
},
@@ -38225,8 +38228,8 @@
"car.2016-04-002",
"detection.emerging-threats",
"T1218",
"T1003",
"T1070"
"T1070",
"T1003"
],
"title": "NotPetya Ransomware Activity"
},
@@ -38550,8 +38553,8 @@
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071"
"T1071",
"T1543"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -38583,9 +38586,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1053",
"T1543",
"T1071"
"T1071",
"T1053"
],
"title": "OilRig APT Registry Persistence"
},
@@ -38617,9 +38620,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1071",
"T1053",
"T1543"
"T1053"
],
"title": "OilRig APT Activity"
},
@@ -39291,8 +39294,8 @@
"TA0005",
"T1036.005",
"detection.emerging-threats",
"T1059",
"T1036"
"T1036",
"T1059"
],
"title": "Greenbug Espionage Group Indicators"
},
@@ -39838,8 +39841,8 @@
"T1053.005",
"T1027",
"detection.emerging-threats",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Turla Group Commands May 2020"
},
@@ -41275,8 +41278,8 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1036",
"T1053",
"T1059"
],
"title": "Operation Wocao Activity"
@@ -41308,9 +41311,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1059",
"T1036"
"T1036",
"T1053"
],
"title": "Operation Wocao Activity - Security"
},
@@ -44900,8 +44903,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1569",
"T1543",
"T1569",
"T1021"
],
"title": "CobaltStrike Service Installations - Security"
@@ -46563,8 +46566,8 @@
"T1553.002",
"attack.s0195",
"T1070",
"T1027",
"T1553"
"T1553",
"T1027"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -46612,8 +46615,8 @@
"T1087.002",
"T1069.002",
"attack.s0039",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Reconnaissance Activity"
},
@@ -47107,8 +47110,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
@@ -47680,8 +47683,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Office Applications Spawning Wmi Cli Alternate"
},
@@ -47864,8 +47867,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "New Lolbin Process by Office Applications"
},
@@ -48084,8 +48087,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "WMI Execution Via Office Process"
},
@@ -49764,8 +49767,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Sliver C2 Default Service Installation"
},
@@ -50269,8 +50272,8 @@
"T1003.006",
"T1569.002",
"attack.s0005",
"T1003",
"T1569"
"T1569",
"T1003"
],
"title": "Credential Dumping Tools Service Execution - System"
},
@@ -50334,9 +50337,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1569",
"T1543",
"T1021",
"T1543"
"T1569"
],
"title": "CobaltStrike Service Installations - System"
},
@@ -51311,8 +51314,8 @@
"car.2013-09-005",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Malicious Service Installations"
},
@@ -52142,8 +52145,8 @@
"TA0008",
"T1563.002",
"T1021.001",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Possible RDP Hijacking"
},
@@ -53700,10 +53703,10 @@
"T1570",
"T1021.002",
"T1569.002",
"T1021",
"T1136",
"T1543",
"T1569"
"T1569",
"T1136",
"T1021"
],
"title": "PSExec Lateral Movement"
},