| CARVIEW |
Select Language
HTTP/2 302
date: Wed, 23 Jul 2025 12:21:10 GMT
content-type: text/html; charset=utf-8
content-length: 0
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
location: https://github.com/SigmaHQ/sigma/releases/tag/r2025-07-08
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
set-cookie: _gh_sess=JfmG5dg%2B2pJHmaqKnKuQRjbHfcqNaMEhjIrvb%2BA%2BjtukRkcofJitR5%2BWyAmTICkOtLszHLKOO4SDBcQQtyoCtsJfPAaEDNGr%2Fga67hXqzwGzwnGespNV%2FLlSBULNJQGp27EuEBzv0gF73kRR7BseIO6iQwLEb7P2fIkMcmT62laC8V6e2B66VooBkBI3Muk%2Bg9XE%2FvGZdwO2MepHMzhbkTmKFqhzfVLHjbE%2BKvU9bZZAOOrCZHQ5mOjwdyTodk3AOX4XkTMK0g2WISwRBOMP%2FA%3D%3D--u66Ylu%2BhFlSC5Sfg--YJ1NhEYAQZ7183fFw4rXug%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2081217511.1753273270; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 12:21:10 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 12:21:10 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: C248:3B93B0:B56047:D828B3:6880D3B6
HTTP/2 200
date: Wed, 23 Jul 2025 12:21:11 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"7ef77951f2379af68d5468670ccdfe59"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
x-github-request-id: C248:3B93B0:B5609B:D828FB:6880D3B6
Release Release r2025-07-08 Β· SigmaHQ/sigma Β· GitHub
Loading
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Compare
·
8 commits
to master
since this release
r2025-07-08
This tag was signed with the committerβs verified signature.
a55bc21
This commit was created on GitHub.com and signed with GitHubβs verified signature.
New Rules
- new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
- new: BITS Client BitsProxy DLL Loaded By Uncommon Process
- new: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- new: DNS Query To Common Malware Hosting and Shortener Services
- new: DNS Query To Katz Stealer Domains
- new: DNS Query To Katz Stealer Domains - Network
- new: Disable ASLR Via Personality Syscall - Linux
- new: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
- new: FileFix - Suspicious Child Process from Browser File Upload Abuse
- new: HKTL - SharpSuccessor Privilege Escalation Tool Execution
- new: HackTool - Doppelanger LSASS Dumper Execution
- new: HackTool - HollowReaper Execution
- new: HackTool - Impacket File Indicators
- new: Katz Stealer DLL Loaded
- new: Katz Stealer Suspicious User-Agent
- new: MSSQL Destructive Query
- new: Obfuscated PowerShell MSI Install via WindowsInstaller COM
- new: Potential AS-REP Roasting via Kerberos TGT Requests
- new: Potential Abuse of Linux Magic System Request Key
- new: Potential Exploitation of RCE Vulnerability CVE-2025-33053
- new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
- new: Potential Java WebShell Upload in SAP NetViewer Server
- new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- new: Potential Notepad++ CVE-2025-49144 Exploitation
- new: Potential SAP NetViewer Webshell Command Execution
- new: PowerShell MSI Install via WindowsInstaller COM From Remote Location
- new: Proxy Execution via Vshadow - detect invocation of
vshadow.exewith-execto spot hidden malware execution - new: RegAsm.EXE Execution Without CommandLine Flags or Files
- new: Registry Export of Third-Party Credentials
- new: Remote Access Tool - Potential MeshAgent Usage - MacOS
- new: Remote Access Tool - Potential MeshAgent Usage - Windows
- new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
- new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
- new: Special File Creation via Mknod Syscall
- new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
- new: Suspicious Deno File Written from Remote Source
- new: Suspicious Download and Execute Pattern via Curl/Wget
- new: Suspicious File Access to Browser Credential Storage
- new: System Info Discovery via Sysinfo Syscall
- new: System Information Discovery via Registry Queries
- new: Trusted Path Bypass via Windows Directory Spoofing
Updated Rules
- update: Access of Sudoers File Content - add more tools
- update: AspNetCompiler Execution - Add ARM version of the \Microsoft.NET path
- update: Audio Capture - use syscall name instead of id
- update: Cisco Modify Configuration - add "ntp server" keyword
- update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
- update: Commands to Clear or Remove the Syslog - detect journald vacuuming
- update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
- update: Disable Internal Tools or Feature in Registry - More registry modifications associated with feature change of windows internal tools added
- update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
- update: File Decoded From Base64/Hex Via Certutil.EXE - Increase level to
high - update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
- update: HackTool - LaZagne Execution: filter added to reduce FP and added more coverage through imphash
- update: Local Groups Discovery - Linux - add text output tools
- update: MSHTA Execution with Suspicious File Extensions - title changed and more susp extension added
- update: Malicious PowerShell Commandlets - PoshModule - Add BadSuccessor Exploit
- update: Malicious PowerShell Commandlets - PoshModule - add Invoke-PowerDPAPI
- update: Malicious PowerShell Commandlets - ProcessCreation - add Invoke-PowerDPAPI
- update: Malicious PowerShell Commandlets - ScriptBlock - add Invoke-PowerDPAPI
- update: Malicious PowerShell Scripts - FileCreation - Add BadSuccessor Exploit
- update: Malicious PowerShell Scripts - FileCreation - add Invoke-PowerDPAPI
- update: Malicious PowerShell Scripts - PoshModule - Add BadSuccessor Exploit
- update: Malicious PowerShell Scripts - PoshModule - add Invoke-PowerDPAPI
- update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
- update: Potential PowerShell Obfuscation Via WCHAR/CHAR - Add
CHARvariation - update: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Add ARM version of the \Microsoft.NET path
- update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName
- update: Remote Thread Created In Shell Application - move to threat-hunting folder as it causes too much noise
- update: Suspicious Double Extension File Execution: add more suspicious extension combination
- update: Suspicious Double Extension Files: add more suspicious extension combination
- update: Suspicious SignIns From A Non Registered Device - add null value in addition to empty string
- update: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Increase coverage by adding new values that allow for Windows Defender to be disabled such as DisableCloudProtection and DisableSecurityCenter
- update: System Owner or User Discovery - Linux - add uname
- update: TrustedPath UAC Bypass Pattern - update Image value
- update: Webshell Remote Command Execution - add execveat and match on euid instead of key
Fixed Rules
- fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
- fix: AddinUtil.EXE Execution From Uncommon Directory - Add filter for Windows Microsoft.NET ARM path
- fix: Amsi.DLL Load By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
- fix: Common Autorun Keys Modification - add 64 bits Program Files directory in filter
- fix: Creation of an Executable by an Executable - Add filter for Windows Microsoft.NET ARM path
- fix: CurrentVersion Autorun Keys Modification - add 64 bits Program Files directory in filter
- fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
- fix: Hidden Files and Directories - reduce FP matching with regex pattern
- fix: MSSQL Server Failed Logon From External Network - filter for local_machine without IP
- fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
- fix: Potential AS-REP Roasting via Kerberos TGT Requests - use the correct PreAuthType selection field name
- fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
- fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
- fix: Potential DLL Sideloading Of MsCorSvc.DLL - Add filter for Windows Microsoft.NET ARM path
- fix: Potential System DLL Sideloading From Non System Locations - Add filter for "C:\Windows\SyChpe32"
- fix: PowerShell Core DLL Loaded By Non PowerShell Process - Add filter for Windows Microsoft.NET ARM path
- fix: Rare Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
- fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
- fix: Remote Thread Creation By Uncommon Source Image - add new filters to reduce noise
- fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
- fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
- fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
- fix: Suspicious Userinit Child Process - filter null Image
- fix: Suspicious WSMAN Provider Image Loads - Add filter for Windows Microsoft.NET ARM path
- fix: Uncommon AppX Package Locations - add a new filter to reduce noise
- fix: Use Short Name Path in Command Line - add filter for aurora
- fix: WMI Module Loaded By Uncommon Process - Add filter for Windows Microsoft.NET ARM path
Acknowledgement
Thanks to @0xFustang, @ajpc500, @ariel-anieli, @CheraghiMilad, @dan21san, @david-syk, @egycondor, @EzLucky, @frack113, @gregorywychowaniec-zt, @GrepItAll, @hashdr1ft, @joshnck, @JrOrOneEquals1, @kivi280, @MalGamy12, @nasbench, @nikstuckenbrock, @norbert791, @phantinuss, @swachchhanda000, @unicornofhunt, @vx3r, @wieso-itzi, @X-Junior, @xlazarg for their contribution to this release
Which Sigma rule package should I use?
A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.
The latest release package on GitHub can always be found here.
Contributors
nasbench, vx3r, and 24 other contributors
Assets 7
7 people reacted
You canβt perform that action at this time.