Release r2026-01-01

New Rules

• new: AMSI Disabled via Registry Modification
• new: Cmd Launched with Hidden Start Flags to Suspicious Targets
• new: Devcon Execution Disabling VMware VMCI Device
• new: Github Self-Hosted Runner Execution
• new: HTML File Opened From Download Folder
• new: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
• new: Legitimate Application Writing Files In Uncommon Location
• new: Linux Setgid Capability Set on a Binary via Setcap Utility
• new: Linux Setuid Capability Set on a Binary via Setcap Utility
• new: Linux Suspicious Child Process From Node.js - React2Shell
• new: OpenCanary - Host Port Scan (SYN Scan)
• new: OpenCanary - NMAP FIN Scan
• new: OpenCanary - NMAP NULL Scan
• new: OpenCanary - NMAP OS Scan
• new: OpenCanary - NMAP XMAS Scan
• new: OpenCanary - RDP New Connection Attempt
• new: PUA - Kernel Driver Utility (KDU) Execution
• new: Registry Modification for OCI DLL Redirection
• new: Successful MSIX/AppX Package Installation
• new: Suspicious ArcSOC.exe Child Process
• new: Suspicious File Created by ArcSOC.exe
• new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
• new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
• new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
• new: Suspicious Shell Open Command Registry Modification
• new: User Shell Folders Registry Modification via CommandLine
• new: Vulnerable Driver Blocklist Registry Tampering Via CommandLine
• new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
• new: Windows AMSI Related Registry Tampering Via CommandLine
• new: Windows AppX Deployment Full Trust Package Installation
• new: Windows AppX Deployment Unsigned Package Installation
• new: Windows Credential Guard Disabled - Registry
• new: Windows Credential Guard Registry Tampering Via CommandLine
• new: Windows Credential Guard Related Registry Value Deleted - Registry
• new: Windows MSIX Package Support Framework AI_STUBS Execution
• new: Windows Suspicious Child Process From Node.js - React2Shell
• new: Windows Vulnerable Driver Blocklist Disabled

Updated Rules

• update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: AppX Located in Uncommon Directory Added to Deployment Pipeline - Enhance selection criteria
• update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: BITS Transfer Job Download From File Sharing Domains - add github.com
• update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: Creation Of Non-Existent System DLL - Add new DLLs and update metadata
• update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
• update: DNS Query to External Service Interaction Domains - Changed modifier to endswith for better accuracy and add additional domains.
• update: Direct Autorun Keys Modification - remove User Shell Folder registry modification
• update: File Download Via Bitsadmin To A Suspicious Target Folder - add more susp locations
• update: Hacktool - EDR-Freeze Execution - add more coverage
• update: Malicious PowerShell Commandlets - PoshModule - add Invoke-DNSExfiltrator
• update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-DNSExfiltrator
• update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-DNSExfiltrator
• update: Malicious PowerShell Scripts - FileCreation - add Invoke-DNSExfiltrator
• update: Malicious PowerShell Scripts - PoshModule - add Invoke-DNSExfiltrator
• update: Modify User Shell Folders Startup Value - add new registry path, also add filtering of legit paths
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - add github.com
• update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - add github.com
• update: Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Add new DLLs and update metadata
• update: Potential Malicious Usage of CloudTrail System Manager - Update logic to use errorCode instead for better mapping and accuracy
• update: Potential SquiblyTwo Technique Execution - Extend coverage for remote execution
• update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - add more interesting event ids
• update: Registry Modification of MS-settings Protocol Handler - Update logic to be more clear
• update: Renamed Office Binary Execution - add olk.exe matching on Microsoft Outlook
• update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: Suspicious Download From File-Sharing Website Via Bitsadmin - add github URL
• update: Suspicious Download Via Certutil.EXE - add URL flag related with GUI-based download
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - add github.com
• update: Suspicious File Download From File Sharing Domain Via Wget.EXE - add github.com
• update: Suspicious File Download From File Sharing Websites - File Stream - add github.com
• update: Suspicious File Downloaded From Direct IP Via Certutil.EXE - add URL flag related with GUI-based download
• update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - add URL flag related with GUI-based download and github domain
• update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
• update: Suspicious Remote AppX Package Locations - add github.com
• update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: Unusual File Download From File Sharing Websites - File Stream - add github.com
• update: WMIC Loading Scripting Libraries - Update metadata
• update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
• update: XSL Script Execution Via WMIC.EXE - Filter out remote execution parameters to avoid duplicate alerting

Removed / Deprecated Rules

• remove: File Download Via Bitsadmin To An Uncommon Target Folder - deprecate in favor of 2ddef153-167b-4e89-86b6-757a9e65dcac

Fixed Rules

• fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier
• fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - filter C:\Windows\UUS\arm64\
• fix: CredUI.DLL Loaded By Uncommon Process - filter systemapps
• fix: Files With System Process Name In Unsuspected Locations - filter windows temp
• fix: GUI Input Capture - macOS - remove osascript wrong path
• fix: Load Of RstrtMgr.DLL By An Uncommon Process - filter OneDriveStandaloneUpdater.exe
• fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - filter legitimate ARM based locations
• fix: Potential System DLL Sideloading From Non System Locations - filter legitimate ARM based locations
• fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - filter C:$WinREAgent\Scratch\
• fix: Potentially Suspicious WDAC Policy File Creation - filter wuaucltcore.exe
• fix: Rare Remote Thread Creation By Uncommon Source Image - filter provtool system
• fix: Startup Folder File Write - filter out wuauclt.exe and C:$WinREAgent\Scratch\Mount\ directory
• fix: Suspicious desktop.ini Action - filter onedrive
• fix: Unauthorized System Time Modification - filter out vmwaretools
• fix: Uncommon AppX Package Locations - filter out system32
• fix: Wow6432Node CurrentVersion Autorun Keys Modification - filter null Details

Acknowledgement

Thanks to @darses, @EzLucky, @frack113, @Koifman, @marcopedrinazzi, @MATTANDERS0N, @mbabinski, @nasbench, @Niicolaa, @phantinuss, @RiqTam, @skaynum, @swachchhanda000, @toheeb-orelope, @vl43den for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-12-01

New Rules

• new: AWS GuardDuty Detector Deleted Or Updated
• new: Atomic MacOS Stealer - FileGrabber Activity
• new: Atomic MacOS Stealer - Persistence Indicators
• new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy
• new: DNS Query by Finger Utility
• new: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
• new: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
• new: FortiGate - Firewall Address Object Added
• new: FortiGate - New Administrator Account Created
• new: FortiGate - New Firewall Policy Added
• new: FortiGate - New Local User Created
• new: FortiGate - New VPN SSL Web Portal Added
• new: FortiGate - User Group Modified
• new: FortiGate - VPN SSL Settings Modified
• new: Grixba Malware Reconnaissance Activity
• new: HackTool - WSASS Execution
• new: Network Connection Initiated via Finger.EXE
• new: Potentially Suspicious Long Filename Pattern - Linux
• new: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
• new: Registry Modification Attempt Via VBScript
• new: Registry Modification Attempt Via VBScript - PowerShell
• new: Registry Tampering by Potentially Suspicious Processes
• new: Renamed Schtasks Execution
• new: Suspicious ClickFix/FileFix Execution Pattern
• new: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
• new: Suspicious FileFix Execution Pattern
• new: Suspicious Filename with Embedded Base64 Commands
• new: Suspicious Kerberos Ticket Request via CLI
• new: Suspicious Space Characters in RunMRU Registry Path - ClickFix
• new: Suspicious Space Characters in TypedPaths Registry Path - FileFix
• new: Suspicious Usage of For Loop with Recursive Directory Search in CMD
• new: Uncommon Svchost Command Line Parameter
• new: Unsigned .node File Loaded
• new: Windows Default Domain GPO Modification
• new: Windows Default Domain GPO Modification via GPME

Updated Rules

• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - add clsid of twinapi.dll
• update: Copy From Or To Admin Share Or Sysvol Folder - some logic change
• update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
• update: DNS Query to External Service Interaction Domains - add additional domains and filters
• update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
• update: FileFix - Command Evidence in TypedPaths - Added more markers
• update: JexBoss Command Sequence - Update the selection to use the |all modifier.
• update: LOL-Binary Copied From System Directory - Add ie4uinit.exe
• update: PPL Tampering Via WerFaultSecure - Rename and update metadata
• update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
• update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
• update: Potential ClickFix Execution Pattern - Registry - Add 2 new strings, "finger" and "identification"
• update: Potential Container Discovery Via Inodes Listing - replace contains globbing with more correct patterns using regex
• update: Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Add coverage for SecurityLayer value
• update: Potentially Suspicious NTFS Symlink Behavior Modification - Tighten logic to focus on proxy process such as cmd or powershell
• update: RDP Sensitive Settings Changed - Add coverage for SecurityLayer value
• update: Suspicious Copy From or To System Directory - Update selection to use regex for better accuracy
• update: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock - Add the "GetRequest()" string
• update: System File Execution Location Anomaly - add Windows error reporting binaries
• update: System Information Discovery via Registry Queries - Enhance registry markers
• update: Tor Client/Browser Execution - Add additional PE metadata markers

Removed / Deprecated Rules

• remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity
• remove: Atomic MacOS Stealer - FileGrabber Infostealer Execution - deprecate in favor of e710a880-1f18-4417-b6a0-b5afdf7e33da
• remove: Space After Filename - Logic was incorrect and untested

Fixed Rules

• fix: Capture Credentials with Rpcping.exe - Fix incorrect usage of windash with the all modifier, that broke the logic.
• fix: Classes Autorun Keys Modification - filter null details
• fix: Common Autorun Keys Modification - filter null
• fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
• fix: CurrentVersion Autorun Keys Modification - filter null details
• fix: CurrentVersion NT Autorun Keys Modification - filter null and poqexec.exe
• fix: Explorer Process Tree Break - Fix incorrect usage of windash with the all modifier, that broke the logic.
• fix: MSDT Execution Via Answer File - Rename rule as well as introduce usage of windash for increased coverage.
• fix: Modification of IE Registry Settings - filter null details
• fix: Office Macro File Download - Reduce level to low due to FPs spotted via VT.
• fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
• fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
• fix: Potential Dtrack RAT Activity - fix problematic regex with 'OR' condition
• fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
• fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
• fix: Potential Persistence Via Shim Database Modification - filter null details
• fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic
• fix: Potential Ursnif Malware Activity - Registry - add specific registry key
• fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
• fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
• fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application
• fix: Scheduled TaskCache Change by Uncommon Program - filter null details
• fix: Suspicious Certreq Command to Download - remove spaces and specific path from detection
• fix: Suspicious CustomShellHost Execution - Increased level to high due to low FP rate spotted via VT.
• fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
• fix: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Fix selection to use ParentImage instead of Image field
• fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe
• fix: WMIC Remote Command Execution - fix broken FP filter
• fix: Wlrmdr.EXE Uncommon Argument Or Child Process - Fix incorrect usage of windash with the all modifier, that broke the logic.
• fix: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification - filter null

Acknowledgement

Thanks to @darses, @deftoner, @EzLucky, @frack113, @HullaBrian, @inthecyber, @JasonPhang98, @jstnk9, @Koifman, @Liran017, @montysecurity, @nasbench, @phantinuss, @RiqTam, @SethHanford, @suKTech24, @swachchhanda000, @tropChaud, @tsale, @YxinMiracle for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-11-01

New Rules

• new: AWS Bucket Deleted
• new: AWS Console Login Monitoring
• new: AWS ConsoleLogin Failed Authentication
• new: AWS EnableRegion Command Monitoring
• new: AWS IAM user with Console Access Login Without MFA (#5074)
• new: AWS KMS Imported Key Material Usage
• new: AWS STS GetCallerIdentity Enumeration Via TruffleHog
• new: AWS VPC Flow Logs Deleted
• new: Audit Rules Deleted Via Auditctl
• new: BaaUpdate.exe Suspicious DLL Load
• new: FTP Connection Open Attempt Via Winscp CLI
• new: File Access Of Signal Desktop Sensitive Data
• new: GitHub Repository Archive Status Changed
• new: GitHub Repository Pages Site Changed to Public
• new: Hacktool - EDR-Freeze Execution
• new: IIS WebServer Log Deletion via CommandLine Utilities
• new: ISATAP Router Address Was Set
• new: Installation of WSL KaliLinux
• new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
• new: Linux Sudo Chroot Execution
• new: Mask System Power Settings Via Systemctl
• new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
• new: PUA - Restic Backup Tool Execution
• new: Potential Executable Run Itself As Sacrificial Process
• new: Potential Exploitation of GoAnywhere MFT vulnerability
• new: Potential Lateral Movement via Windows Remote Shell
• new: Python WebServer Execution - Linux
• new: RunMRU Registry Key Deletion
• new: RunMRU Registry Key Deletion - Registry
• new: Suspicious BitLocker Access Agent Update Utility Execution (#5502)
• new: Syslog Clearing or Removal Via System Utilities
• new: Unsigned or Unencrypted SMB Connection to Share Established
• new: WFP Filter Added via Registry
• new: WSL Kali Linux Usage
• new: WinRAR Creating Files in Startup Locations
• new: Winrs Local Command Execution
• new: Winscp Execution From Non Standard Folder

Updated Rules

• update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
• update: AWS Successful Console Login Without MFA - only alert on successful logins
• update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
• update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
• update: Local Accounts Discovery - add OriginalFileName field
• update: Modify System Firewall - add nftables delete/flush
• update: PFX File Creation - Enhance filters, metadata and logic
• update: Potential LSASS Process Dump Via Procdump - expand flags and service-names detection
• update: Potentially Suspicious JWT Token Search Via CLI - add selection for common search tools
• update: PowerShell Download Pattern - add powershell_ise
• update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
• update: Suspicious C2 Activities - update definition (#5142)
• update: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze - refine image path logic and include OriginalFileName for improved rule accuracy
• update: Suspicious Startup Folder Persistence: add more suspicious extensions
• update: Use Short Name Path in Image - change detection logic structure
• update: WinRAR Execution in Non-Standard Folder - update PE metadata

Removed / Deprecated Rules

• remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
• remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628
• remove: PowerShell DownloadFile - Deprecated in favour of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
• remove: Whoami Utility Execution - Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073

Fixed Rules

• fix: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - filter hexnode
• fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
• fix: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - remove + characters from selectors
• fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
• fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
• fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
• fix: Firewall Configuration Discovery Via Netsh.EXE - fix logic (#5171)
• fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage
• fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
• fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
• fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
• fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
• fix: Ping Hex IP - refined detection by adding regex to only match true hexadecimal IPv4 formats
• fix: Potential CVE-2023-23397 Exploitation Attempt - Add RemoteAddress field to filters
• fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potential PowerShell Obfuscation Using Alias Cmdlets - filter legitimate cim aliases
• fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
• fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
• fix: Program Executed Using Proxy/Local Command Via SSH.EXE - fix overlap of strings to reduce FPs
• fix: Rare Remote Thread Creation By Uncommon Source Image - filter office FPs (#5529)
• fix: Registry Persistence via Service in Safe Mode - filter hexnode
• fix: SMB Create Remote File Admin Share - filter out local IP
• fix: Startup Folder File Write - Add a filter for OneNote
• fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
• fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
• fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Suspicious Non PowerShell WSMAN COM Provider - filter hexnode
• fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
• fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
• fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
• fix: Sysmon Channel Reference Deletion - AccessMask should be a string
• fix: System Disk And Volume Reconnaissance via Wmic.EXE - update the rule logic to remove potential FPs
• fix: System File Execution Location Anomaly - add filter for wsl fps
• fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
• fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
• fix: Uncommon PowerShell Hosts - filter hexnode
• fix: Usage Of Web Request Commands And Cmdlets - Comment out Net.webclient
• fix: Usage Of Web Request Commands And Cmdlets - ScriptBlock - Commented out Net.webclient
• fix: WannaCry Ransomware Activity - remove generic indicators (#5131)

Acknowledgement

Thanks to @adanalvarez, @BalsamicSentry, @BIitzkrieg, @CheraghiMilad, @david-syk, @djlukic, @EzLucky, @frack113, @kagebunsher, @KingKDot, @Koifman, @Liran017, @mlakri, @mm-abdelghani, @nasbench, @netgrain, @NinnessOtu, @peterydzynski, @phantinuss, @rkmbaxed, @RobertN87, @saakovv, @swachchhanda000, @thuya-hacktilizer, @toopricey, @vasquja, @vl43den, @YamatoSecurity, @zambomarcell for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-10-01

New Rules

• new: ADExplorer Writing Complete AD Snapshot Into .dat File
• new: CrushFTP RCE vulnerability CVE-2025-54309
• new: Delete Defender Scan ShellEx Context Menu Registry Key
• new: Disabling Windows Defender WMI Autologger Session via Reg.exe
• new: FunkLocker Ransomware File Creation
• new: Low Reputation Effective Top-Level Domain (eTLD)
• new: MMC Executing Files with Reversed Extensions Using RTLO Abuse
• new: MMC Loading Script Engines DLLs
• new: MacOS FileGrabber Infostealer
• new: NodeJS Execution of JavaScript File
• new: Password Never Expires Set via WMI
• new: Potential ClickFix Execution Pattern - Registry
• new: Potential Hello-World Scraper Botnet Activity
• new: Potential JLI.dll Side-Loading
• new: Potential PowerShell Console History File Access Attempt
• new: Potential SAP NetWeaver Webshell Creation
• new: Potential SAP NetWeaver Webshell Creation - Linux
• new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
• new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
• new: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
• new: Potentially Suspicious Child Processes Spawned by ConHost
• new: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
• new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
• new: Registry Manipulation via WMI Stdregprov
• new: Remote Access Tool - TacticalRMM Agent Registration to Potential Attacker-Controlled Server
• new: Scheduled Task Creation Masquerading as System Processes
• new: Schtasks Curl Download and Powershell Execution Combination
• new: Security Event Logging Disabled Via MiniNt Registry Key - Process
• new: Security Event Logging Disabled Via MiniNt Registry Key - Registry Set
• new: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
• new: Suspicious Child Process of SAP NetWeaver
• new: Suspicious Child Process of SAP NetWeaver - Linux
• new: Suspicious Creation of .library-ms File - Potential CVE-2025-24054 Exploit
• new: Suspicious File Created in Outlook Temporary Directory
• new: Suspicious File Write to SharePoint Layouts Directory
• new: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
• new: Suspicious Uninstall of Windows Defender Feature via PowerShell
• new: Suspicious Velociraptor Child Process
• new: WDAC Policy File Creation In CodeIntegrity Folder
• new: Windows Defender Context Menu Removed via Reg.exe
• new: Windows Defender Default Threat Action Modified
• new: Windows Recovery Environment Disabled Via Reagentc

Updated Rules

• update: Active Directory Database Snapshot Via ADExplorer - add more selections
• update: Certificate Use With No Strong Mapping - Update Provider Name
• update: Change User Agents with WebRequest - add invoke-restmethod cmdlet
• update: DNS Query Tor .Onion Address - Sysmon - update detection logic
• update: DNS TOR Proxies - update detection logic
• update: KDC RC4-HMAC Downgrade CVE-2022-37966 - Update Provider Name
• update: Network Connection Initiated To BTunnels Domains - MITRE tags
• update: Network Connection Initiated To Cloudflared Tunnels Domains - MITRE tags
• update: Network Connection Initiated To DevTunnels Domain - MITRE tags
• update: Network Connection Initiated To Mega.nz - MITRE tag
• update: Network Connection Initiated To Visual Studio Code Tunnels Domain - MITRE tags
• update: No Suitable Encryption Key Found For Generating Kerberos Ticket - Update Provider Name
• update: Obfuscated IP Download Activity - add invoke-restmethod cmdlet
• update: Potential DLL File Download Via PowerShell Invoke-WebRequest - add invoke-restmethod cmdlet
• update: Potential Data Exfiltration Activity Via CommandLine Tools - add invoke-restmethod cmdlet
• update: Potential Defense Evasion Via Binary Rename - add 7za
• update: Potential Defense Evasion Via Right-to-Left Override - add [U+202E]
• update: Potential File Extension Spoofing Using Right-to-Left Override - add [U+202E] and more extensions
• update: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create - update rule with new IOCs
• update: PowerShell Download and Execution Cradles - add invoke-restmethod cmdlet
• update: PowerShell Script With File Upload Capabilities - add invoke-restmethod cmdlet
• update: Python Image Load By Non-Python Process - update the metadata
• update: Query Tor Onion Address - DNS Client - update detection logic
• update: Regsvr32 DLL Execution With Suspicious File Extension - add coverage for regsvr executing '.log' extension
• update: Renamed Visual Studio Code Tunnel Execution - remove optional flag '--name'
• update: RestrictedAdminMode Registry Value Tampering - ProcCreation - remove trailing slash
• update: Suspicious Active Directory Database Snapshot Via ADExplorer - add more selections
• update: Suspicious Double Extension Files - add .svg extension
• update: Suspicious Dropbox API Usage - MITRE tags
• update: Suspicious Get Local Groups Information - PowerShell - increase coverage for WMI modules
• update: Suspicious Invoke-WebRequest Execution - add powershell_ise
• update: Suspicious Invoke-WebRequest Execution With DirectIP - add invoke-restmethod cmdlet
• update: Suspicious Non-Browser Network Communication With Telegram API - MITRE tag
• update: Suspicious PowerShell In Registry Run Keys - add invoke-restmethod cmdlet
• update: Suspicious Windows Service Tampering - add coverage for Windows service tampering through wmic and PowerShell WMI module
• update: System File Execution Location Anomaly - add taskhostw
• update: Unsigned DLL Loaded by Windows Utility - also filter SignatureStatus 'valid'
• update: Usage Of Web Request Commands And Cmdlets - ScriptBlock - add invoke-restmethod cmdlet
• update: Usage Of Web Request Commands And Cmdlets - add invoke-restmethod cmdlet
• update: Visual Studio Code Tunnel Execution - remove optional flag '--name'

Removed / Deprecated Rules

• remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3
• remove: PowerShell Web Download - deprecate duplicate rule in favour of 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d

Fixed Rules

• fix: Added Credentials to Existing Application - fix filter dash type, capitalization and spaces to match Azure log format
• fix: COM Hijacking via TreatAs - Add filter for integrator.exe
• fix: HackTool - LaZagne Execution - remove imphashes common to pyinstaller bundled executables
• fix: New Service Creation Using Sc.EXE - add filter for dropbox
• fix: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - add filter for mpDefenderCoreService and SysWow64
• fix: Potential Persistence Via Notepad++ Plugins - add filter for notepad++ installers
• fix: Potential PsExec Remote Execution - add filter for localhost
• fix: Potential Python DLL SideLoading - add FP filter caused by pyinstaller bundled applications
• fix: Process Initiated Network Connection To Ngrok Domain - fix title and update MITRE tags
• fix: Removal of Potential COM Hijacking Registry Keys - Added Msedge update filter
• fix: Suspicious Volume Shadow Copy VSS_PS.dll Load - add vssadmin filter
• fix: Transferring Files with Credential Data via Network Shares - Made the string matching little more specific to avoid FPs
• fix: UNC4841 - Barracuda ESG Exploitation Indicators - FPs with mknod on Linux systems
• fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
• fix: Windows Event Log Access Tampering Via Registry
• fix: potentially suspicious execution from tmp folder
• fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder

Acknowledgement

Thanks to @0xbcf, @0xPrashanthSec, @egycondor, @EzLucky, @frack113, @gkazimiarovich, @JasonPhang98, @josamontiel, @Koifman, @Liran017, @M1ra1B0T, @MATTANDERS0N, @nasbench, @Neo23x0, @netgrain, @nisargsuthar, @norbert791, @peterydzynski, @phantinuss, @resp404nse, @ruppde, @swachchhanda000, @Ti-R, @vl43den, @YxinMiracle for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-07-08

New Rules

• new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
• new: BITS Client BitsProxy DLL Loaded By Uncommon Process
• new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
• new: DNS Query To Common Malware Hosting and Shortener Services
• new: DNS Query To Katz Stealer Domains
• new: DNS Query To Katz Stealer Domains - Network
• new: Disable ASLR Via Personality Syscall - Linux
• new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
• new: FileFix - Suspicious Child Process from Browser File Upload Abuse
• new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
• new: HackTool - Doppelanger LSASS Dumper Execution
• new: HackTool - HollowReaper Execution
• new: HackTool - Impacket File Indicators
• new: Katz Stealer DLL Loaded
• new: Katz Stealer Suspicious User-Agent
• new: MSSQL Destructive Query
• new: Obfuscated PowerShell MSI Install via WindowsInstaller COM
• new: Potential AS-REP Roasting via Kerberos TGT Requests
• new: Potential Abuse of Linux Magic System Request Key
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
• new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
• new: Potential Java WebShell Upload in SAP NetViewer Server
• new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
• new: Potential Notepad++ CVE-2025-49144 Exploitation
• new: Potential SAP NetViewer Webshell Command Execution
• new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
• new: Proxy Execution via Vshadow - detect invocation of vshadow.exe with -exec to spot hidden malware execution
• new: RegAsm.EXE Execution Without CommandLine Flags or Files
• new: Registry Export of Third-Party Credentials
• new: Remote Access Tool - Potential MeshAgent Usage - MacOS
• new: Remote Access Tool - Potential MeshAgent Usage - Windows
• new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
• new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
• new: Special File Creation via Mknod Syscall
• new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
• new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
• new: Suspicious Deno File Written from Remote Source
• new: Suspicious Download and Execute Pattern via Curl/Wget
• new: Suspicious File Access to Browser Credential Storage
• new: System Info Discovery via Sysinfo Syscall
• new: System Information Discovery via Registry Queries
• new: Trusted Path Bypass via Windows Directory Spoofing

Updated Rules

• update: Access of Sudoers File Content - add more tools
• update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
• update: Audio Capture - use syscall name instead of id
• update: Cisco Modify Configuration - add "ntp server" keyword
• update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
• update: Commands to Clear or Remove the Syslog - detect journald vacuuming
• update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
• update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added
• update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
• update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to high
• update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
• update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash
• update: Local Groups Discovery - Linux - add text output tools
• update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added
• update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
• update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
• update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
• update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
• update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
• update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
• update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
• update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
• update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
• update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add CHAR variation
• update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path
• update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName
• update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
• update: Suspicious Double Extension File Execution: add more suspicious extension combination
• update: Suspicious Double Extension Files: add more suspicious extension combination
• update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
• update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter
• update: System Owner or User Discovery - Linux - add uname
• update: TrustedPath UAC Bypass Pattern - update Image value
• update: Webshell Remote Command Execution - add execveat and match on euid instead of key

Fixed Rules

• fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
• fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
• fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
• fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
• fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
• fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
• fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
• fix: Hidden Files and Directories - reduce FP matching with regex pattern
• fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
• fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
• fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name
• fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
• fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
• fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
• fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32"
• fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
• fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
• fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
• fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
• fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
• fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
• fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
• fix: Suspicious Userinit Child Process - filter null Image
• fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
• fix: Uncommon AppX Package Locations - add a new filter to reduce noise
• fix: Use Short Name Path in Command Line - add filter for aurora
• fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path

Acknowledgement

Thanks to @0xFustang, @ajpc500, @ariel-anieli, @CheraghiMilad, @dan21san, @david-syk, @egycondor, @EzLucky, @frack113, @gregorywychowaniec-zt, @GrepItAll, @hashdr1ft, @joshnck, @JrOrOneEquals1, @kivi280, @MalGamy12, @nasbench, @nikstuckenbrock, @norbert791, @phantinuss, @swachchhanda000, @unicornofhunt, @vx3r, @wieso-itzi, @X-Junior, @xlazarg for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-05-21

New Rules

• new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
• new: Crash Dump Created By Operating System
• new: HTTP Request to Low Reputation TLD or Suspicious File Extension
• new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
• new: Notepad Password Files Discovery
• new: PUA - AdFind.EXE Execution
• new: PUA - NimScan Execution
• new: Potential CVE-2024-35250 Exploitation Activity
• new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
• new: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
• new: Potentially Suspicious WDAC Policy File Creation
• new: Suspicious Autorun Registry Modified via WMI
• new: Suspicious CrushFTP Child Process
• new: Suspicious LNK Command-Line Padding with Whitespace Characters
• new: Suspicious Process Spawned by CentreStack Portal AppPool

Updated Rules

• update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
• update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
• update: AWS New Lambda Layer Attached - Enhance metadata and logic
• update: Anydesk Remote Access Software Service Installation - Enhance coverage by accounting for the AnyDesk MSI Service
• update: Audio Capture - add ecasound detection
• update: Buffer Overflow Attempts - Enhance and reworked logic with new keywords
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add additional COM CLSID
• update: Direct Autorun Keys Modification
• update: Elevated System Shell Spawned - Add powershell_ise
• update: Elevated System Shell Spawned From Uncommon Parent Location - Add powershell_ise
• update: Malicious PowerShell Commandlets - PoshModule - Add Veeam-Get-Creds
• update: Malicious PowerShell Commandlets - ProcessCreation - Add Veeam-Get-Creds
• update: Malicious PowerShell Scripts - FileCreation - Add Veeam-Get-Creds.ps1
• update: Malicious PowerShell Scripts - PoshModule - Add Veeam-Get-Creds.ps1
• update: New RUN Key Pointing to Suspicious Folder
• update: Nslookup PowerShell Download Cradle - Add additional coverage with -type=txt http
• update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.
• update: Potential APT FIN7 Exploitation Activity - Add false positive description
• update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added
• update: Potential Browser Data Stealing - add esentutl.exe
• update: Potential Obfuscated Ordinal Call Via Rundll32 - Add additional obfuscation methods
• update: Potential Persistence Attempt Via Run Keys Using Reg.EXE
• update: Potential Product Class Reconnaissance Via Wmic.EXE - Add AntiSpywareProduct class
• update: Potentially Suspicious WDAC Policy File Creation
• update: Process Memory Dump Via Comsvcs.DLL - Add additional obfuscation methods
• update: Remote Access Tool - AnyDesk Execution - Add AnyDeskMSI.exe
• update: Remote Access Tool - AnyDesk Incoming Connection - Add AnyDeskMSI.exe
• update: Remote Access Tool - Anydesk Execution From Suspicious Folder - Add AnyDeskMSI.exe
• update: Renamed AdFind Execution - Add additional Imphash values
• update: Service Reload or Start - Linux - Add additional flags and binaries used to changes services status
• update: Suspicious Binary Writes Via AnyDesk - Add AnyDeskMSI.exe
• update: Suspicious Eventlog Clear - Added coverage for eventlog clearing using dotnet class
• update: Suspicious Eventlog Clearing or Configuration Change Activity- Added coverage for eventlog clearing using dotnet class
• update: Suspicious PowerShell Invocations - Specific
• update: Suspicious PowerShell Invocations - Specific - PowerShell Module
• update: Suspicious Powershell In Registry Run Keys
• update: Suspicious Run Key from Download
• update: Windows Event Log Access Tampering Via Registry - Increase coverage by removing log markers
• update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
• update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17

Fixed Rules

• fix: Conhost Spawned By Uncommon Parent Process - Add filter for '-k wusvcs -p -s WaaSMedicSvc
• fix: Indirect Command Exectuion via Forfiles - wrong keyword
• fix: Potential Binary Or Script Dropper Via PowerShell - Add filter for C:\Windows\SystemTemp\
• fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
• fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string
• fix: Potential WinAPI Calls Via CommandLine - Add new filter for CompatTelRunner
• fix: PowerShell Execution - wrong date format
• fix: Python Initiated Connection - Add filter for pip install
• fix: Python Initiated Connection - Enhance python filter
• fix: Python Inline Command Execution - Add filter for whl package installations
• fix: Schtasks Creation Or Modification With SYSTEM Privileges - Add new filter of office scheduled task
• fix: Whoami.EXE Execution Anomaly - Add new filter for empty parent
• fix: Windows Processes Suspicious Parent Directory - Add new filter for empty parent

Acknowledgement

Thanks to @CheraghiMilad, @clr2of8, @david-syk, @DFIR-Detection, @dsplice, @Eyezuhk, @frack113, @Gude5, @HannesWid, @imall4n, @jasonmull, @Koifman, @MalGamy12, @nasbench, @Neo23x0, @nickatrecon, @phantinuss, @RG9n, @signalblur, @swachchhanda000, @whichbuffer, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2025-02-03

New Rules

• new: Azure Login Bypassing Conditional Access Policies
• new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
• new: Suspicious Binaries and Scripts in Public Folder
• new: Suspicious Invocation of Shell via Rsync
• new: Windows Event Log Access Tampering Via Registry

Updated Rules

• update: Exploit Framework User Agent - Add default Havoc C2 UA
• update: Renamed Powershell Under Powershell Channel - Update regex to use \s+ to account for different parsers
• update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells.
• update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use \s+ to account for different parsers
• update: Suspicious Windows Service Tampering - Add additional services

Removed / Deprecated Rules

• remove: Windows Defender Exclusion Deleted

Fixed Rules

• fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add dn.onenote.net/ and cdn.office.net/
• fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for Kaspersky and mDNS Responder
• fix: Failed Code Integrity Checks - Add filters for CrowdStrike.
• fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
• fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
• fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
• fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for \Windows\SoftwareDistribution\Download\
• fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter C:\ProgramData\Package Cache\{ to account for cases like the execution of vcredist
• fix: Privileged User Has Been Created - Add missing comma to avoid false positives
• fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the HTool string to avoid unintended matches.
• fix: Renamed Powershell Under Powershell Channel - Add edge case filters for double backslashes PowerShell invocation.
• fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
• fix: Uncommon AppX Package Locations - Add https://installer.teams.static.microsoft/
• fix: WCE wceaux.dll Access - Remove EventIDs 4658 and 4660 as they both do not contain the ObjectName field

Acknowledgement

Thanks to @DanielKoifman, @defensivedepth, @djlukic, @frack113, @GtUGtHGtNDtEUaE, @joshnck, @krdmnbrk, @nasbench, @Neo23x0, @samuelmonsempessenthorus, @Ti-R, @tsale, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-12-19

New Rules

• new: AWS Key Pair Import Activity
• new: AWS SAML Provider Deletion Activity
• new: CVE-2024-50623 Exploitation Attempt - Cleo
• new: DNS Query Request By QuickAssist.EXE
• new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
• new: Modification or Deletion of an AWS RDS Cluster
• new: New AWS Lambda Function URL Configuration Created
• new: Potential File Extension Spoofing Using Right-to-Left Override
• new: Potentially Suspicious Azure Front Door Connection
• new: QuickAssist Execution
• new: Setup16.EXE Execution With Custom .Lst File
• new: Suspicious ShellExec_RunDLL Call Via Ordinal

Updated Rules

• update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
• update: DNS Query To Remote Access Software Domain From Non-Browser App - Add getscreen.me
• update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate"
• update: GALLIUM IOCs - remove custom dedicated hash fields
• update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
• update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
• update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
• update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
• update: HackTool - Impersonate Execution - remove custom dedicated hash fields
• update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
• update: HackTool - PCHunter Execution - remove custom dedicated hash fields
• update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
• update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
• update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
• update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
• update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
• update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
• update: HackTool Named File Stream Created - remove custom dedicated hash fields
• update: Hacktool Execution - Imphash - remove custom dedicated hash fields
• update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
• update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage
• update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
• update: MpiExec Lolbin - remove custom dedicated hash fields
• update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
• update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
• update: PUA - Nimgrab Execution - remove custom dedicated hash fields
• update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
• update: PUA - Process Hacker Execution - remove custom dedicated hash fields
• update: PUA - System Informer Driver Load - remove custom dedicated hash fields
• update: PUA - System Informer Execution - remove custom dedicated hash fields
• update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
• update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth"
• update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
• update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule
• update: Potential Secure Deletion with SDelete - Enhance metadata
• update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
• update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares
• update: Process Discovery - Add additional processes like "htop" and "atop"
• update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
• update: Remote Access Tool Services Have Been Installed - Security - Add anydesk
• update: Renamed AdFind Execution - remove custom dedicated hash fields
• update: Renamed AutoIt Execution - remove custom dedicated hash fields
• update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
• update: Renamed PAExec Execution - remove custom dedicated hash fields
• update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last"
• update: Terminate Linux Process Via Kill - Add "xkill"
• update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
• update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
• update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
• update: WinDivert Driver Load - remove custom dedicated hash fields

Fixed Rules

• fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder C:\Windows\SoftwareDistribution\
• fix: FPs with NetNTLM downgrade attack (#5108)
• fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate.
• fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
• fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
• fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches.

Acknowledgement

Thanks to @AlbinoGazelle, @CheraghiMilad, @cod3nym, @dan21san, @djlukic, @faisalusuf, @frack113, @gregorywychowaniec-zt, @IsaacDunham, @jstnk9, @Koifman, @MalGamy12, @mgreen27, @nasbench, @Neo23x0, @randomaccess3, @saakovv, @swachchhanda000 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-11-10

New Rules

• new: .RDP File Created by Outlook Process
• new: Access To Browser Credential Files By Uncommon Applications - Security
• new: Command Executed Via Run Dialog Box - Registry
• new: DNS Request From Windows Script Host
• new: ETW Logging/Processing Option Disabled On IIS Server
• new: Group Policy Abuse for Privilege Addition
• new: HTTP Logging Disabled On IIS Server
• new: Network Connection Initiated To BTunnels Domains
• new: New Module Module Added To IIS Server
• new: Potential Python DLL SideLoading
• new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
• new: PowerShell Web Access Feature Enabled Via DISM
• new: PowerShell Web Access Installation - PsScript
• new: Previously Installed IIS Module Was Removed
• new: Process Deletion of Its Own Executable
• new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
• new: Startup/Logon Script Added to Group Policy Object

Updated Rules

• update: .RDP File Created By Uncommon Application - Add olk.exe to cover the new version of outlook
• update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11
• update: Alternate PowerShell Hosts Pipe - Add optional filter for AzureConnectedMachineAgent and update old filters to be more accurate
• update: Antivirus Hacktool Detection - Add additional hacktools signature names.
• update: Antivirus Password Dumper Detection - Add DCSync string to cover MS Defender traffic detections
• update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc.
• update: Antivirus Ransomware Detection - Add additional ransomware signature names.
• update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
• update: DNS Query To Remote Access Software Domain From Non-Browser App - Add remoteassistance.support.services.microsoft.com, tailscale.com, twingate.com
• update: Disable Windows Defender Functionalities Via Registry Keys - Remove \Real-Time Protection\ prefix to increase coverage.
• update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt'
• update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
• update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
• update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
• update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
• update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136
• update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for 0x00A0
• update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for 0x00A0
• update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives.
• update: Potentially Suspicious JWT Token Search Via CLI - added the eyJhbGciOi string, corresponding to {"alg": from the JWT token header.
• update: Process Terminated Via Taskkill - Add /pid flag and windash support
• update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage.
• update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
• update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the HostApplication field is null
• update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the HostApplication field is null
• update: BITS Transfer Job Download From File Sharing Domains - Add pixeldrain.com
• update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add pixeldrain.com
• update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add pixeldrain.com
• update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE* - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add pixeldrain.com
• update: Suspicious File Download From File Sharing Websites - File Stream - Add pixeldrain.com
• update: Suspicious Windows Service Tampering - Add "WSearch"
• update: Unusual File Download From File Sharing Websites - File Stream - Add pixeldrain.com

Fixed Rules

• fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule.
• fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent".
• fix: PwnKit Local Privilege Escalation - Fix typo with the word suspicious
• fix: UNC2452 Process Creation Patterns - Add the missing all modifier

Acknowledgement

Thanks to @ahmedfarou22, @bharat-arora-magnet, @BlackB0lt, @CheraghiMilad, @dan21san, @defensivedepth, @deFr0ggy, @djlukic, @frack113, @fukusuket, @ionsor, @jaegeral, @joshnck, @Koifman, @Mahir-Ali-khan, @MalGamy12, @MHaggis, @Milad Cheraghi, @nasbench, @Neo23x0, @ruppde, @secDre4mer, @swachchhanda000, @tsale, @wieso-itzi, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

Release r2024-09-02

New Rules

• new: Access To Chromium Browsers Sensitive Files By Uncommon Applications
• new: Access To Crypto Currency Wallets By Uncommon Applications
• new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
• new: Capsh Shell Invocation - Linux
• new: ChromeLoader Malware Execution
• new: Clipboard Data Collection Via Pbpaste
• new: Data Export From MSSQL Table Via BCP.EXE
• new: Disk Image Creation Via Hdiutil - MacOS
• new: Disk Image Mounting Via Hdiutil - MacOS
• new: DNS Query To Put.io - DNS Client
• new: Driver Added To Disallowed Images In HVCI - Registry
• new: Emotet Loader Execution Via .LNK File
• new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
• new: FakeUpdates/SocGholish Activity
• new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
• new: Github Fork Private Repositories Setting Enabled/Cleared
• new: Github Repository/Organization Transferred
• new: Github SSH Certificate Configuration Changed
• new: HackTool - SharpWSUS/WSUSpendu Execution
• new: HackTool - SOAPHound Execution
• new: Headless Process Launched Via Conhost.EXE
• new: Hidden Flag Set On File/Directory Via Chflags - MacOS
• new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
• new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
• new: Inline Python Execution - Spawn Shell Via OS System Library
• new: Kerberoasting Activity - Initial Query
• new: Manual Execution of Script Inside of a Compressed File
• new: Microsoft Teams Sensitive File Access By Uncommon Application
• new: Multi Factor Authentication Disabled For User Account
• new: Obfuscated PowerShell OneLiner Execution
• new: OneNote.EXE Execution of Malicious Embedded Scripts
• new: Potential APT FIN7 Exploitation Activity
• new: Potential BOINC Software Execution (UC-Berkeley Signature)
• new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for e0552b19-5a83-4222-b141-b36184bb8d79
• new: Potential CSharp Streamer RAT Loading .NET Executable Image
• new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
• new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
• new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
• new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
• new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
• new: Potential File Override/Append Via SET Command
• new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
• new: Potential Raspberry Robin Aclui Dll SideLoading
• new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
• new: Potentially Suspicious Rundll32.EXE Execution of UDL File
• new: Powershell Executed From Headless ConHost Process
• new: Process Launched Without Image Name
• new: Python Function Execution Security Warning Disabled In Excel
• new: Python Function Execution Security Warning Disabled In Excel - Registry
• new: Raspberry Robin Initial Execution From External Drive
• new: Raspberry Robin Subsequent Execution of Commands
• new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
• new: Remote Access Tool - Ammy Admin Agent Execution
• new: Remote Access Tool - AnyDesk Incoming Connection
• new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
• new: Renamed BOINC Client Execution
• new: Serpent Backdoor Payload Execution Via Scheduled Task
• new: Shell Execution GCC - Linux
• new: Shell Execution via Find - Linux
• new: Shell Execution via Flock - Linux
• new: Shell Execution via Git - Linux
• new: Shell Execution via Nice - Linux
• new: Shell Execution via Rsync - Linux
• new: Shell Invocation via Env Command - Linux
• new: Shell Invocation Via Ssh - Linux
• new: Suspicious Invocation of Shell via AWK - Linux
• new: Suspicious Process Masquerading As SvcHost.EXE
• new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
• new: Unattend.XML File Access Attempt
• new: Uncommon Connection to Active Directory Web Services
• new: Ursnif Redirection Of Discovery Commands
• new: User Risk and MFA Registration Policy Updated

Updated Rules

• update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Access To Windows Credential History File By Uncommon Applications - Update filters
• update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters
• update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder
• update: Antivirus Exploitation Framework Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Hacktool Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Password Dumper Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Ransomware Detection - Add additional keywords and strings to enhance coverage
• update: Antivirus Relevant File Paths Alerts - Add additional keywords and strings to enhance coverage
• update: Antivirus Web Shell Detection - Add additional keywords and strings to enhance coverage
• update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Cab File Extraction Via Wusa.EXE - Move to TH folder
• update: COM Object Execution via Xwizard.EXE - Update logic
• update: Credential Manager Access By Uncommon Applications - Update filters
• update: Disable Important Scheduled Task - Add \Windows\ExploitGuard\ExploitGuard MDM policy Refresh
• update: Github High Risk Configuration Disabled - Add business_advanced_security.disabled, business_advanced_security.disabled_for_new_repos, business_advanced_security.disabled_for_new_user_namespace_repos, business_advanced_security.user_namespace_repos_disabled, org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos
• update: Github Secret Scanning Feature Disabled - Add secret_scanning_new_repos.disable
• update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
• update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
• update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
• update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
• update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
• update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys.
• update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value.
• update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
• update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
• update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Powershell Token Obfuscation - Powershell - Optimized used regex
• update: Powershell Token Obfuscation - Process Creation - Optimized used regex
• update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
• update: Relevant Anti-Virus Signature Keywords In Application Log - Add additional keywords and strings to enhance coverage
• update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update: Suspicious Remote AppX Package Locations - Add additional domains, *.trycloudflare.com, *.pages.dev, *.w3spaces.com and *.workers.dev
• update...