Home/CVE-2016-5403/Sigma rules
Sigma

Sigma rules for CVE-2016-5403

52 rules · scoped to cve · back to CVE-2016-5403
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 52
direct medium
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
status test author Igor Fits, oscd.community id b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b license Sigma · DRL-1.1
view Sigma YAML 
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: 'EXECVE'
    touch:
        - 'touch'
    selection2:
        - '-t'
        - '-acmr'
        - '-d'
        - '-r'
    condition: execve and touch and selection2
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: Set a file's access timestamp
      technique: T1070.006
      atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
    - type: atomic-red-team
      name: Set a file's modification timestamp
      technique: T1070.006
      atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
    - type: atomic-red-team
      name: Modify file timestamps using reference file
      technique: T1070.006
      atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
direct medium
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
status test author Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) id 5fc297ae-25b6-488a-8f25-cc12ac29b744 license Sigma · DRL-1.1
view Sigma YAML 
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
    Detects potentially suspicious execution of the Qemu utility in a Windows environment.
    Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
    - https://securelist.com/network-tunneling-with-qemu/111803/
    - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
    - attack.command-and-control
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
            - '-m 2M'
            - '-m 3M'
        CommandLine|contains|all:
            - 'restrict=off'
            - '-netdev '
            - 'connect='
            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
    filter_main_normal_usecase:
        CommandLine|contains:
            - ' -cdrom ' # Normal usage cases
            - ' type=virt '
            - ' -blockdev '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Showing 51-52 of 52
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin