SigmaHQ Rules Release Highlights — r2023-10-23

<p>Sigma Rule Packages for 23-10-2023 are released and available for&nbsp;<a href="https://github.com/SigmaHQ/sigma/releases/tag/r2023-10-23" rel="noopener ugc nofollow" target="_blank">download</a>. This release saw the addition of&nbsp;<strong>21 new rules</strong>,&nbsp;<strong>17 rule updates&nbsp;</strong>and&nbsp;<strong>24 rule fixes.</strong></p> <h1>New Rules</h1> <p>Some highlights for the newer rules include, detections for CVE-2023&ndash;27363 (Remote Code Execution in Foxit Reader) based on&nbsp;<code>.hta</code>&nbsp;file creation in the Startup directory.</p> <pre> title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 status: experimental description: Detects suspicious &quot;.hta&quot; file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. references: - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 - https://www.zerodayinitiative.com/advisories/ZDI-23-491/ - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ author: Gregory date: 2023/10/11 tags: - attack.persistence - attack.t1505.001 - cve.2023.27363 logsource: product: windows category: file_event detection: selection: Image|endswith: &#39;\FoxitPDFReader.exe&#39; TargetFilename|contains: &#39;\Microsoft\Windows\Start Menu\Programs\Startup\&#39; TargetFilename|endswith: &#39;.hta&#39; condition: selection falsepositives: - Unknown level: high</pre> <p>A generic rule that detects usage of curl to download files from IP based URLs as&nbsp;<a href="https://github.com/pr0xylife/IcedID/blob/main/icedID_09.28.2023.txt" rel="noopener ugc nofollow" target="_blank">seen</a>&nbsp;being abused in the&nbsp;<a href="https://tria.ge/230928-shv6tsdf67/behavioral1" rel="noopener ugc nofollow" target="_blank">wild</a></p> <p><a href="https://blog.sigmahq.io/sigmahq-rule-release-highlights-r2023-10-23-56eb16a3a882"><strong>Read More</strong></a></p>
Tags: SigmaHQ Rules