sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Samirbous	2b5472a9b3	[Tuning/New] Solarwinds Post Exploit (#5696 ) * [Tuning/New] Solawrwinds Post Exploit https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 - new rule for tunneling using QEMU - added few websvc domains .cloud.es.io, files.catbox.moe and supabase.co - added javaw to the solarwinds rule - added ZOHO and Velociraptor to the new term RMM rule. * Update initial_access_potential_webhelpdesk_exploit.toml * Update rules/windows/command_and_control_common_webservices.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * ++ --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2026-02-09 13:57:52 +00:00
Samirbous	2b8fb44cb5	[New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665 ) * [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL). This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution. https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/ https://github.com/rapid7/metasploit-framework/pull/20917 * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>	2026-02-04 16:09:55 +00:00

Author

SHA1

Message

Date

Samirbous

2b5472a9b3

[Tuning/New] Solarwinds Post Exploit (#5696 )

* [Tuning/New] Solawrwinds Post Exploit

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and  supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.

* Update initial_access_potential_webhelpdesk_exploit.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2026-02-09 13:57:52 +00:00

Samirbous

2b8fb44cb5

[New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665 )

* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.

https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

https://github.com/rapid7/metasploit-framework/pull/20917

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2026-02-04 16:09:55 +00:00

2 Commits