sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Samirbous	e1205cb5c5	[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001 ) * [New/Tuning] Windows Top Threats 2024/2025 1) MSHTA: - tuning to exclude FPs - new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events. 2) MSIEXEC: * Update defense_evasion_mshta_susp_child.toml * Update defense_evasion_script_via_html_app.toml * Update defense_evasion_mshta_susp_child.toml * Create defense_evasion_msiexec_remote_payload.toml * Update defense_evasion_msiexec_remote_payload.toml * ++ * Create execution_scripting_remote_webdav.toml * Create execution_windows_fakecaptcha_cmd_ps.toml * Create command_and_control_rmm_netsupport_susp_path.toml * Update command_and_control_rmm_netsupport_susp_path.toml * ++ * Update execution_jscript_fake_updates.toml * Create command_and_control_dns_susp_tld.toml * ++ * Create command_and_control_remcos_rat_iocs.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Update execution_scripts_archive_file.toml * Update defense_evasion_masquerading_renamed_autoit.toml * ++ * Create execution_nodejs_susp_patterns.toml * Update execution_nodejs_susp_patterns.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Fix unit test errors * Update defense_evasion_network_connection_from_windows_binary.toml * Add system index * Add tag * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Remove duplicate * Update defense_evasion_msiexec_child_proc_netcon.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Create credential_access_browsers_unusual_parent.toml * Update credential_access_browsers_unusual_parent.toml * ++ * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_mshta_susp_child.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_windows_phish_clickfix.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update execution_windows_phish_clickfix.toml * Update rules/windows/defense_evasion_script_via_html_app.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_browsers_unusual_parent.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_nodejs_susp_patterns.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_script_via_html_app.toml --------- Co-authored-by: eric-forte-elastic <eric.forte@elastic.co> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2025-09-01 15:41:51 +01:00

Author

SHA1

Message

Date

Samirbous

e1205cb5c5

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001 )

* [New/Tuning] Windows Top Threats 2024/2025

1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:

* Update defense_evasion_mshta_susp_child.toml

* Update defense_evasion_script_via_html_app.toml

* Update defense_evasion_mshta_susp_child.toml

* Create defense_evasion_msiexec_remote_payload.toml

* Update defense_evasion_msiexec_remote_payload.toml

* ++

* Create execution_scripting_remote_webdav.toml

* Create execution_windows_fakecaptcha_cmd_ps.toml

* Create command_and_control_rmm_netsupport_susp_path.toml

* Update command_and_control_rmm_netsupport_susp_path.toml

* ++

* Update execution_jscript_fake_updates.toml

* Create command_and_control_dns_susp_tld.toml

* ++

* Create command_and_control_remcos_rat_iocs.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Update execution_scripts_archive_file.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* ++

* Create execution_nodejs_susp_patterns.toml

* Update execution_nodejs_susp_patterns.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Fix unit test errors

* Update defense_evasion_network_connection_from_windows_binary.toml

* Add system index

* Add tag

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Remove duplicate

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Create credential_access_browsers_unusual_parent.toml

* Update credential_access_browsers_unusual_parent.toml

* ++

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_mshta_susp_child.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_windows_phish_clickfix.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update execution_windows_phish_clickfix.toml

* Update rules/windows/defense_evasion_script_via_html_app.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_browsers_unusual_parent.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_nodejs_susp_patterns.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_script_via_html_app.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2025-09-01 15:41:51 +01:00

1 Commits