CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-03-25 22:12:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2026-01-28 20:22:38) (#235)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2026-01-28 20:22:45 +00:00
committed by GitHub
parent 104610f95e
commit f9af14cb8c
1 changed files with 184 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
config/security_rules.json
View File

@@ -287,8 +287,8 @@
"TA0005",
"T1059.001",
"T1036.003",
"T1036",
"T1059"
"T1059",
"T1036"
],
"title": "Renamed Powershell Under Powershell Channel"
},
@@ -1173,8 +1173,8 @@
"T1529",
"attack.g0091",
"attack.s0363",
"T1071",
"T1059"
"T1059",
"T1071"
],
"title": "Silence.EDA Detection"
},
@@ -1503,8 +1503,8 @@
"T1552.001",
"T1555",
"T1555.003",
"T1548",
"T1552"
"T1552",
"T1548"
],
"title": "HackTool - WinPwn Execution - ScriptBlock"
},
@@ -1926,8 +1926,8 @@
"T1059.001",
"TA0003",
"T1136.001",
"T1059",
"T1136"
"T1136",
"T1059"
],
"title": "PowerShell Create Local User"
},
@@ -2218,8 +2218,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - Rubeus Execution - ScriptBlock"
},
@@ -2661,8 +2661,8 @@
"T1564.004",
"TA0002",
"T1059.001",
"T1059",
"T1564"
"T1564",
"T1059"
],
"title": "NTFS Alternate Data Stream"
},
@@ -5534,8 +5534,8 @@
"T1218.007",
"TA0002",
"T1059.001",
"T1059",
"T1027",
"T1059",
"T1218"
],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
@@ -5961,8 +5961,8 @@
"TA0004",
"T1543.003",
"T1562.001",
"T1562",
"T1543"
"T1543",
"T1562"
],
"title": "Devcon Execution Disabling VMware VMCI Device"
},
@@ -6231,8 +6231,8 @@
"TA0002",
"T1059.007",
"cve.2020-1599",
"T1059",
"T1218"
"T1218",
"T1059"
],
"title": "MSHTA Execution with Suspicious File Extensions"
},
@@ -8635,8 +8635,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Suspicious Schtasks Execution AppData Folder"
},
@@ -10905,8 +10905,8 @@
"TA0005",
"T1548.002",
"T1218.003",
"T1548",
"T1218"
"T1218",
"T1548"
],
"title": "Bypass UAC via CMSTP"
},
@@ -11322,9 +11322,9 @@
"TA0011",
"T1071.004",
"T1132.001",
"T1048",
"T1132",
"T1071",
"T1132"
"T1048"
],
"title": "DNS Exfiltration and Tunneling Tools Execution"
},
@@ -11665,8 +11665,8 @@
"car.2013-08-001",
"T1053.005",
"T1059.001",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
},
@@ -11870,8 +11870,8 @@
"T1047",
"T1204.002",
"T1218.010",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "Suspicious WmiPrvSE Child Process"
},
@@ -11940,8 +11940,8 @@
"TA0002",
"T1059.001",
"T1562.001",
"T1059",
"T1562"
"T1562",
"T1059"
],
"title": "Obfuscated PowerShell OneLiner Execution"
},
@@ -12335,8 +12335,8 @@
"TA0005",
"T1059.001",
"T1564.003",
"T1564",
"T1059"
"T1059",
"T1564"
],
"title": "HackTool - Covenant PowerShell Launcher"
},
@@ -13473,8 +13473,8 @@
"T1087.002",
"T1482",
"T1069.002",
"T1087",
"T1069"
"T1069",
"T1087"
],
"title": "Renamed AdFind Execution"
},
@@ -16548,8 +16548,8 @@
"T1059.001",
"TA0005",
"T1027.005",
"T1059",
"T1027"
"T1027",
"T1059"
],
"title": "HackTool - CrackMapExec PowerShell Obfuscation"
},
@@ -18235,8 +18235,8 @@
"TA0002",
"T1552.004",
"T1059.001",
"T1552",
"T1059"
"T1059",
"T1552"
],
"title": "Certificate Exported Via PowerShell"
},
@@ -18303,8 +18303,8 @@
"T1218.011",
"TA0006",
"T1003.001",
"T1218",
"T1003"
"T1003",
"T1218"
],
"title": "Process Access via TrolleyExpress Exclusion"
},
@@ -18951,6 +18951,28 @@
],
"title": "Windows Share Mount Via Net.EXE"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.\nHVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.\nAdversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.\n",
"event_ids": [
"4688"
],
"id": "2422e428-2a4a-9183-9e55-0478a44213b5",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0005",
"T1562.001",
"T1562"
],
"title": "Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine"
},
{
"category": "process_creation",
"channel": [
@@ -19018,8 +19040,8 @@
"TA0005",
"T1562.001",
"T1070.001",
"T1562",
"T1070"
"T1070",
"T1562"
],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
},
@@ -21135,8 +21157,8 @@
"TA0005",
"T1218.014",
"T1036.002",
"T1218",
"T1204",
"T1218",
"T1036"
],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
@@ -21266,8 +21288,8 @@
"TA0005",
"T1219.002",
"T1036.003",
"T1036",
"T1219"
"T1219",
"T1036"
],
"title": "Remote Access Tool - Renamed MeshAgent Execution - Windows"
},
@@ -21692,12 +21714,12 @@
"T1547.002",
"T1557",
"T1082",
"T1574",
"T1547",
"T1564",
"T1574",
"T1505",
"T1556",
"T1546"
"T1546",
"T1505"
],
"title": "Potential Suspicious Activity Using SeCEdit"
},
@@ -22806,8 +22828,8 @@
"TA0005",
"T1218.005",
"T1027.004",
"T1027",
"T1218",
"T1027",
"T1059"
],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent"
@@ -24330,8 +24352,8 @@
"T1558.003",
"TA0008",
"T1550.003",
"T1550",
"T1558"
"T1558",
"T1550"
],
"title": "HackTool - KrbRelayUp Execution"
},
@@ -24491,8 +24513,8 @@
"TA0003",
"T1053.005",
"T1059.001",
"T1059",
"T1053"
"T1053",
"T1059"
],
"title": "Scheduled Task Executing Payload from Registry"
},
@@ -26502,9 +26524,9 @@
"T1069.002",
"TA0002",
"T1059.001",
"T1087",
"T1059",
"T1069",
"T1087"
"T1069"
],
"title": "HackTool - Bloodhound/Sharphound Execution"
},
@@ -27412,6 +27434,28 @@
],
"title": "Recon Information for Export with Command Prompt"
},
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.\nThe Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.\nDisabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors\nto facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response\n",
"event_ids": [
"4688"
],
"id": "39a74164-89df-cc34-b685-261b00fe4524",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0005",
"T1562.001",
"T1562"
],
"title": "Vulnerable Driver Blocklist Registry Tampering Via CommandLine"
},
{
"category": "process_creation",
"channel": [
@@ -27591,8 +27635,8 @@
"T1106",
"T1059.003",
"T1218.011",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "HackTool - RedMimicry Winnti Playbook Execution"
},
@@ -31912,8 +31956,8 @@
"TA0001",
"TA0043",
"detection.threat-hunting",
"T1566",
"T1598"
"T1598",
"T1566"
],
"title": "HTML File Opened From Download Folder"
},
@@ -31947,9 +31991,9 @@
"T1021.002",
"attack.s0039",
"detection.threat-hunting",
"T1069",
"T1021",
"T1087",
"T1069"
"T1087"
],
"title": "Net.EXE Execution"
},
@@ -32730,8 +32774,8 @@
"T1547.001",
"detection.threat-hunting",
"T1059",
"T1027",
"T1547"
"T1547",
"T1027"
],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
},
@@ -33953,7 +33997,7 @@
"T1562.001",
"T1562"
],
"title": "Hypervisor Enforced Code Integrity Disabled"
"title": "Windows Hypervisor Enforced Code Integrity Disabled"
},
{
"category": "registry_set",
@@ -36112,8 +36156,8 @@
"T1204.004",
"TA0005",
"T1027.010",
"T1204",
"T1027"
"T1027",
"T1204"
],
"title": "Suspicious Space Characters in TypedPaths Registry Path - FileFix"
},
@@ -37272,8 +37316,8 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1543",
"T1021",
"T1543",
"T1569"
],
"title": "Potential CobaltStrike Service Installations - Registry"
@@ -37895,8 +37939,8 @@
"TA0003",
"T1547.001",
"T1546.009",
"T1547",
"T1546"
"T1546",
"T1547"
],
"title": "Session Manager Autorun Keys Modification"
},
@@ -37989,6 +38033,28 @@
],
"title": "ServiceDll Hijack"
},
{
"category": "registry_set",
"channel": [
"sec"
],
"description": "Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,\nand its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,\nparticularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.\nThis rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.\nNote that this change will require a reboot to take effect, and this rule only detects the registry modification action.\n",
"event_ids": [
"4657"
],
"id": "b8421346-c641-8b9f-8e30-77a28bd6dcc3",
"level": "high",
"service": "",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0005",
"T1562.001",
"T1562"
],
"title": "Windows Vulnerable Driver Blocklist Disabled"
},
{
"category": "registry_set",
"channel": [
@@ -38668,8 +38734,8 @@
"T1566.001",
"cve.2017-11882",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Droppers Exploiting CVE-2017-11882"
},
@@ -38696,8 +38762,8 @@
"T1566.001",
"cve.2017-0261",
"detection.emerging-threats",
"T1204",
"T1566"
"T1566",
"T1204"
],
"title": "Exploit for CVE-2017-0261"
},
@@ -39079,8 +39145,8 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1053",
"T1071",
"T1543"
],
"title": "OilRig APT Schedule Task Persistence - Security"
@@ -39113,9 +39179,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1543",
"T1053",
"T1071",
"T1053"
"T1543"
],
"title": "OilRig APT Registry Persistence"
},
@@ -39147,9 +39213,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1543",
"T1053"
"T1053",
"T1071"
],
"title": "OilRig APT Activity"
},
@@ -39179,9 +39245,9 @@
"TA0011",
"T1071.004",
"detection.emerging-threats",
"T1071",
"T1543",
"T1053",
"T1543"
"T1071"
],
"title": "OilRig APT Schedule Task Persistence - System"
},
@@ -39307,8 +39373,8 @@
"T1218.011",
"car.2013-10-002",
"detection.emerging-threats",
"T1218",
"T1059"
"T1059",
"T1218"
],
"title": "Sofacy Trojan Loader Activity"
},
@@ -39821,8 +39887,8 @@
"TA0005",
"T1036.005",
"detection.emerging-threats",
"T1059",
"T1036"
"T1036",
"T1059"
],
"title": "Greenbug Espionage Group Indicators"
},
@@ -40368,8 +40434,8 @@
"T1053.005",
"T1027",
"detection.emerging-threats",
"T1053",
"T1059"
"T1059",
"T1053"
],
"title": "Turla Group Commands May 2020"
},
@@ -41805,9 +41871,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1059",
"T1036",
"T1053",
"T1059"
"T1053"
],
"title": "Operation Wocao Activity"
},
@@ -41838,9 +41904,9 @@
"T1053.005",
"T1059.001",
"detection.emerging-threats",
"T1053",
"T1059",
"T1036",
"T1059"
"T1053"
],
"title": "Operation Wocao Activity - Security"
},
@@ -42198,8 +42264,8 @@
"T1059.001",
"attack.s0183",
"detection.emerging-threats",
"T1059",
"T1071"
"T1071",
"T1059"
],
"title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution"
},
@@ -43913,8 +43979,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1204",
"T1553"
"T1553",
"T1204"
],
"title": "Windows AppX Deployment Full Trust Package Installation"
},
@@ -44011,8 +44077,8 @@
"TA0002",
"T1204.002",
"T1553.005",
"T1553",
"T1204"
"T1204",
"T1553"
],
"title": "Windows AppX Deployment Unsigned Package Installation"
},
@@ -45357,8 +45423,8 @@
"TA0002",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Remote Access Tool Services Have Been Installed - Security"
},
@@ -46185,8 +46251,8 @@
"T1003.006",
"T1569.002",
"attack.s0005",
"T1569",
"T1003"
"T1003",
"T1569"
],
"title": "Credential Dumping Tools Service Execution - Security"
},
@@ -47211,9 +47277,9 @@
"T1485",
"T1553.002",
"attack.s0195",
"T1070",
"T1553",
"T1027",
"T1553"
"T1070"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -47756,8 +47822,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1204",
"T1218"
"T1218",
"T1204"
],
"title": "Excel Proxy Executing Regsvr32 With Payload"
},
@@ -48535,8 +48601,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "New Lolbin Process by Office Applications"
},
@@ -48755,8 +48821,8 @@
"T1218.010",
"TA0002",
"TA0005",
"T1218",
"T1204"
"T1204",
"T1218"
],
"title": "WMI Execution Via Office Process"
},
@@ -50435,8 +50501,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "Sliver C2 Default Service Installation"
},
@@ -51005,9 +51071,9 @@
"T1021.002",
"T1543.003",
"T1569.002",
"T1021",
"T1543",
"T1569",
"T1543"
"T1021"
],
"title": "CobaltStrike Service Installations - System"
},
@@ -51092,8 +51158,8 @@
"TA0004",
"T1543.003",
"T1569.002",
"T1569",
"T1543"
"T1543",
"T1569"
],
"title": "ProcessHacker Privilege Elevation"
},
@@ -52813,8 +52879,8 @@
"TA0008",
"T1563.002",
"T1021.001",
"T1021",
"T1563"
"T1563",
"T1021"
],
"title": "Possible RDP Hijacking"
},
@@ -54371,10 +54437,10 @@
"T1570",
"T1021.002",
"T1569.002",
"T1021",
"T1136",
"T1569",
"T1543"
"T1021",
"T1543",
"T1136"
],
"title": "PSExec Lateral Movement"
},