Tool
SIEM
Sigma (generic) detection rules
341 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 341
low
File And SubFolder Enumeration Via Dir Command
Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
view Sigma YAML
title: File And SubFolder Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021-12-13
modified: 2026-05-18
tags:
- attack.discovery
- attack.t1217
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- Image|endswith: '\cmd.exe'
- OriginalFileName: Cmd.Exe
selection_cli:
CommandLine|contains|windash: '-s'
CommandLine|contains: 'dir '
filter_main_rmdir:
CommandLine|contains: 'rmdir'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Likely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml
simulation:
- type: atomic-red-team
name: List Internet Explorer Bookmarks using the command prompt
technique: T1217
atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
Convert to SIEM query
low
File Creation Date Changed to Another Year
Detects when the file creation time is changed to a year before 2020.
Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly.
Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories.
Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
view Sigma YAML
title: File Creation Date Changed to Another Year
id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
status: test
description: |
Detects when the file creation time is changed to a year before 2020.
Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly.
Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories.
Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
references:
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2026-01-20
tags:
- attack.stealth
- attack.t1070.006
- detection.threat-hunting
logsource:
category: file_change
product: windows
detection:
selection:
PreviousCreationUtcTime|startswith: '202'
filter_main_creation_time:
CreationUtcTime|startswith: '202'
filter_main_program_files:
- TargetFilename|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_updates:
- Image:
- 'C:\Windows\system32\ProvTool.exe'
- 'C:\Windows\System32\usocoreworker.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
- TargetFilename|endswith:
- '.tmp'
- '.temp'
filter_optional_cab:
Image|startswith: 'C:\WINDOWS\System32\'
Image|endswith:
- '\TiWorker.exe'
- '\svchost.exe'
- '\sihclient.exe'
TargetFilename|endswith: '.cab'
filter_optional_msiexec:
Image: 'C:\Windows\system32\msiexec.exe'
filter_optional_vcredist:
Image|startswith: 'C:\Windows\Temp\'
Image|endswith: '\VCREDI~1.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Changes made to or by the local NTP service
- Software installations and updates
level: low
Convert to SIEM query
low
File Deletion Via Del
Detects execution of the builtin "del"/"erase" commands in order to delete files.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
view Sigma YAML
title: File Deletion Via Del
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: test
description: |
Detects execution of the builtin "del"/"erase" commands in order to delete files.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_flags:
CommandLine|contains|windash:
- ' -f' # Force deleting of read-only files.
- ' -s' # Delete specified files from all subdirectories.
- ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
condition: all of selection_*
falsepositives:
- False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
level: low
Convert to SIEM query
low
File or Folder Permissions Change
Detects file and folder permission changes.
view Sigma YAML
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: test
description: Detects file and folder permission changes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour).
level: low
Convert to SIEM query
low
Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Files Added To An Archive Using Rar.EXE
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: test
description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rar.exe'
CommandLine|contains: ' a '
condition: selection
falsepositives:
- Highly likely if rar is a default archiver in the monitored environment.
level: low
Convert to SIEM query
low
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
view Sigma YAML
title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
- https://ss64.com/nt/netsh.html
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-18
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'netsh'
- 'show '
- 'firewall '
CommandLine|contains:
- 'config '
- 'state '
- 'rule '
- 'name=all'
condition: all of selection_*
falsepositives:
- Administrative activity
level: low
Convert to SIEM query
low
Firewall Rule Modified In The Windows Firewall Exception List
Detects when a rule has been modified in the Windows firewall exception list
view Sigma YAML
title: Firewall Rule Modified In The Windows Firewall Exception List
id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
status: test
description: Detects when a rule has been modified in the Windows firewall exception list
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-01-22
tags:
- attack.defense-impairment
- attack.t1686.003
- detection.threat-hunting
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)
- 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)
filter_optional_teams:
ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
filter_optional_keybase:
ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
filter_optional_messenger:
ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
filter_optional_opera:
ApplicationPath|contains|all:
- ':\Users\'
- '\AppData\Local\Programs\Opera\'
- '\opera.exe'
filter_optional_brave:
ApplicationPath|contains|all:
- ':\Users\'
- '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe'
condition: selection and not 1 of filter_optional_*
level: low
Convert to SIEM query
low
Fsutil Drive Enumeration
Attackers may leverage fsutil to enumerated connected drives.
view Sigma YAML
title: Fsutil Drive Enumeration
id: 63de06b9-a385-40b5-8b32-73f2b9ef84b6
status: test
description: Attackers may leverage fsutil to enumerated connected drives.
references:
- Turla has used fsutil fsinfo drives to list connected drives.
- https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2022-03-29
modified: 2022-07-14
tags:
- attack.discovery
- attack.t1120
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\fsutil.exe'
- OriginalFileName: 'fsutil.exe'
selection_cli:
CommandLine|contains: 'drives'
condition: all of selection_*
falsepositives:
- Certain software or administrative tasks may trigger false positives.
level: low
Convert to SIEM query
low
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
view Sigma YAML
title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
- attack.collection
- attack.credential-access
- attack.t1056.002
logsource:
product: macos
category: process_creation
detection:
selection_img:
Image|endswith: '/osascript'
selection_cli_1:
CommandLine|contains|all:
- '-e'
- 'display'
- 'dialog'
- 'answer'
selection_cli_2:
CommandLine|contains:
- 'admin'
- 'administrator'
- 'authenticate'
- 'authentication'
- 'credentials'
- 'pass'
- 'password'
- 'unlock'
condition: all of selection_*
falsepositives:
- Legitimate administration tools and activities
level: low
Convert to SIEM query
low
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
view Sigma YAML
title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
references:
- https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
- https://www.loobins.io/binaries/xattr/
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2024-04-18
tags:
- attack.defense-impairment
- attack.t1553.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/xattr'
CommandLine|contains|all:
- '-d'
- 'com.apple.quarantine'
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
GitHub Repository Archive Status Changed
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
view Sigma YAML
title: GitHub Repository Archive Status Changed
id: dca8991c-cb16-4128-abf8-6b11e5cd156f
status: experimental
description: |
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
references:
- https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
logsource:
product: github
service: audit
detection:
selection:
action:
- 'repo.archived'
- 'repo.unarchived'
condition: selection
falsepositives:
- Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.
level: low
Convert to SIEM query
low
GitHub Repository Pages Site Changed to Public
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
view Sigma YAML
title: GitHub Repository Pages Site Changed to Public
id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55
status: experimental
description: |
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
references:
- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
- attack.collection
- attack.exfiltration
- attack.t1567.001
logsource:
product: github
service: audit
detection:
selection:
action: 'repo.pages_public'
condition: selection
falsepositives:
- Legitimate publishing of repository pages by authorized users
level: low
Convert to SIEM query
low
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
view Sigma YAML
title: Github New Secret Created
id: f9405037-bc97-4eb7-baba-167dad399b83
status: test
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
tags:
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'codespaces.create_an_org_secret'
- 'environment.create_actions_secret'
- 'org.create_actions_secret'
- 'repo.create_actions_secret'
condition: selection
falsepositives:
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
level: low
Convert to SIEM query
low
Github Push Protection Bypass Detected
Detects when a user bypasses the push protection on a secret detected by secret scanning.
view Sigma YAML
title: Github Push Protection Bypass Detected
id: 02cf536a-cf21-4876-8842-4159c8aee3cc
status: test
description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action|contains: 'secret_scanning_push_protection.bypass'
condition: selection
falsepositives:
- Allowed administrative activities.
level: low
Convert to SIEM query
low
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
view Sigma YAML
title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
- attack.impact
- attack.discovery
- attack.collection
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1526
- attack.t1213.003
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selection
falsepositives:
- Allowed self-hosted runners changes in the environment.
- A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
- An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low
Convert to SIEM query
low
Google Cloud Storage Buckets Enumeration
Detects when storage bucket is enumerated in Google Cloud.
view Sigma YAML
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
status: test
description: Detects when storage bucket is enumerated in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.discovery
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
falsepositives:
- Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
view Sigma YAML
title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.t1078.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
# By default the guest account is not active
- ' -guestAccount'
- ' on'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
view Sigma YAML
title: HH.EXE Execution
id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
status: test
description: Detects the execution of "hh.exe" to open ".chm" files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
- attack.stealth
- attack.t1218.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_cli:
CommandLine|contains: '.chm'
condition: all of selection_*
falsepositives:
- False positives are expected with legitimate ".CHM"
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml
Convert to SIEM query
low
HTML File Opened From Download Folder
Detects web browser process opening an HTML file from a user's Downloads folder.
This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
view Sigma YAML
title: HTML File Opened From Download Folder
id: 538c5851-8c03-4724-8ec4-623bc7aadaea
status: experimental
description: |
Detects web browser process opening an HTML file from a user's Downloads folder.
This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
references:
- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
author: Joseph Kamau
date: 2025-12-05
tags:
- attack.t1598.002
- attack.t1566.001
- attack.initial-access
- attack.reconnaissance
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- ':\users\'
- '\Downloads\'
- '.htm'
condition: selection
falsepositives:
- Opening any HTML file located in users directories via a browser process will trigger this.
level: low
Convert to SIEM query
low
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
view Sigma YAML
title: Hidden Files and Directories
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
status: test
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: 'Pawel Mazur'
date: 2021-09-06
modified: 2025-06-16
tags:
- attack.stealth
- attack.t1564.001
logsource:
product: linux
service: auditd
detection:
selection_commands:
type: 'EXECVE'
a0:
- 'mkdir'
- 'nano'
- 'touch'
- 'vi'
- 'vim'
selection_arguments:
- a1|re: '(^|\/)\.[^.\/]'
- a2|re: '(^|\/)\.[^.\/]'
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Host Without Firewall
Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
view Sigma YAML
title: Host Without Firewall
id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
status: experimental
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-19
modified: 2025-11-01
# tags:
# - CSC9
# - CSC9.4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 DE.AE-1
# - ISO 27002-2013 A.9.1.2
# - ISO 27002-2013 A.13.2.1
# - ISO 27002-2013 A.13.2.2
# - ISO 27002-2013 A.14.1.2
# - PCI DSS 3.2 1.4
logsource:
product: qualys
detection:
selection:
event.category: 'Security Policy'
host.scan.vuln_name|contains: 'Firewall Product Not Detected'
condition: selection
level: low
Convert to SIEM query
low
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
view Sigma YAML
title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: huawei
service: bgp
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
keywords_bgp_huawei:
'|all':
- ':179' # Protocol
- 'BGP_AUTH_FAILED'
condition: keywords_bgp_huawei
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
Convert to SIEM query
low
Import New Module Via PowerShell CommandLine
Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
view Sigma YAML
title: Import New Module Via PowerShell CommandLine
id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262
status: test
description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
modified: 2023-12-01
tags:
- attack.execution
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
filter_main_vsstudio:
ParentImage|contains:
- ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
- ':\Windows\System32\cmd.exe'
CommandLine|contains|all:
- ':\Program Files\Microsoft Visual Studio\'
- 'Tools\Microsoft.VisualStudio.DevShell.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes.
level: low
Convert to SIEM query
low
Indirect Command Execution By Program Compatibility Wizard
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
view Sigma YAML
title: Indirect Command Execution By Program Compatibility Wizard
id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
status: test
description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
references:
- https://twitter.com/pabraeken/status/991335019833708544
- https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
author: A. Sungurov , oscd.community
date: 2020-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\pcwrun.exe'
condition: selection
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
level: low
Convert to SIEM query
low
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
view Sigma YAML
title: Insensitive Subfolder Search Via Findstr.EXE
id: 04936b66-3915-43ad-a8e5-809eadfd1141
related:
- id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
type: obsolete
status: test
description: |
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: 'findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli_search_subfolder:
CommandLine|contains|windash: ' -s '
selection_cli_search_insensitive:
CommandLine|contains|windash: ' -i '
condition: selection_findstr and all of selection_cli_search_*
falsepositives:
- Administrative or software activity
level: low
Convert to SIEM query
low
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
view Sigma YAML
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
view Sigma YAML
title: Interesting Service Enumeration Via Sc.EXE
id: e83e8899-c9b2-483b-b355-5decc942b959
status: test
description: |
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
references:
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
- https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
tags:
- attack.t1003
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains: 'query'
selection_cmd:
# Note: add more interesting services
CommandLine|contains: 'termservice'
condition: all of selection_*
falsepositives:
- Unknown
# Note: can be upgraded to medium after an initial baseline
level: low
Convert to SIEM query
low
JAMF MDM Execution
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
view Sigma YAML
title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/jamf'
CommandLine|contains:
# Note: add or remove commands according to your policy
- 'createAccount'
- 'manage'
- 'removeFramework'
- 'removeMdmProfile'
- 'resetPassword'
- 'setComputerName'
condition: selection
falsepositives:
- Legitimate use of the JAMF CLI tool by IT support and administrators
level: low
Convert to SIEM query
low
JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler).
Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
view Sigma YAML
title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
Detects the execution of the "jsc.exe" (JScript Compiler).
Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Jsc/
- https://www.phpied.com/make-your-javascript-a-windows-exe/
- https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\jsc.exe'
- OriginalFileName: 'jsc.exe'
condition: selection
falsepositives:
- Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low
Convert to SIEM query
low
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
view Sigma YAML
title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: juniper
service: bgp
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
keywords_bgp_juniper:
'|all':
- ':179' # Protocol
- 'missing MD5 digest'
condition: keywords_bgp_juniper
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
Convert to SIEM query
low
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
view Sigma YAML
title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
- id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1552.007
- attack.credential-access
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'list'
objectRef.resource: 'secrets'
condition: selection
falsepositives:
- The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low
Convert to SIEM query
low
Kubernetes Unauthorized or Unauthenticated Access
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
view Sigma YAML
title: Kubernetes Unauthorized or Unauthenticated Access
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
status: test
description: |
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
author: kelnage
date: 2024-04-12
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
responseStatus.code:
- 401 # Unauthorized
- 403 # Forbidden
condition: selection
falsepositives:
- A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
level: low
Convert to SIEM query
low
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
view Sigma YAML
title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
- https://man7.org/linux/man-pages/man8/getcap.8.html
- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
- https://mn3m.info/posts/suid-vs-capabilities/
- https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
- attack.discovery
- attack.privilege-escalation
- attack.t1083
- attack.t1548
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: getcap
a1: '-r'
a2: '/'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
view Sigma YAML
title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
- https://research.splunk.com/endpoint/linux_doas_tool_execution/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/doas'
condition: selection
falsepositives:
- Unlikely
level: low
Convert to SIEM query
low
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
view Sigma YAML
title: Linux Network Service Scanning - Auditd
id: 3761e026-f259-44e6-8826-719ed8079408
related:
- id: 3e102cd9-a70d-4a7a-9508-403963092f31
type: derived
status: test
description: Detects enumeration of local or remote network services.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-09-26
tags:
- attack.discovery
- attack.t1046
logsource:
product: linux
service: auditd
definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
detection:
selection:
type: 'SYSCALL'
exe|endswith:
- '/telnet'
- '/nmap'
- '/netcat'
- '/nc'
- '/ncat'
- '/nc.openbsd'
key: 'network_connect_4'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
view Sigma YAML
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
- https://github.com/projectdiscovery/naabu
- https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection_netcat:
Image|endswith:
- '/nc'
- '/ncat'
- '/netcat'
- '/socat'
selection_network_scanning_tools:
Image|endswith:
- '/autorecon'
- '/hping'
- '/hping2'
- '/hping3'
- '/naabu'
- '/nmap'
- '/nping'
- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
- '/zenmap'
filter_main_netcat_listen_flag:
CommandLine|contains:
- ' --listen '
- ' -l '
condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
view Sigma YAML
title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
- https://sysdig.com/blog/mitre-defense-evasion-falco
- https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
- https://linuxhint.com/uninstall_yum_package/
- https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.stealth
- attack.t1070
logsource:
product: linux
category: process_creation
detection:
selection_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'erase'
- 'remove'
selection_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains:
- 'remove'
- 'purge'
selection_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--remove '
- ' -r '
selection_rpm:
Image|endswith: '/rpm'
CommandLine|contains: ' -e '
condition: 1 of selection_*
falsepositives:
- Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low
Convert to SIEM query
low
Linux Remote System Discovery
Detects the enumeration of other remote systems.
view Sigma YAML
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
view Sigma YAML
title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setgid'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
view Sigma YAML
title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setuid'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
view Sigma YAML
title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
condition: selection
falsepositives:
- Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low
Convert to SIEM query
low
Load Of RstrtMgr.DLL By An Uncommon Process
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
view Sigma YAML
title: Load Of RstrtMgr.DLL By An Uncommon Process
id: 3669afd2-9891-4534-a626-e5cf03810a61
related:
- id: b48492dc-c5ef-4572-8dff-32bc241c15c8
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
modified: 2025-12-08
tags:
- attack.impact
- attack.defense-impairment
- attack.t1486
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
filter_main_generic:
Image|startswith:
- C:\$WINDOWS.~BT\'
- C:\$WinREAgent\'
- C:\Program Files (x86)\'
- C:\Program Files\'
- C:\ProgramData\'
- C:\Windows\explorer.exe'
- C:\Windows\SoftwareDistribution\'
- C:\Windows\SysNative\'
- C:\Windows\System32\'
- C:\Windows\SysWOW64\'
- C:\Windows\WinSxS\'
- C:\WUDownloadCache\'
filter_main_user_software_installations:
Image|startswith: C:\Users\'
Image|contains|all:
- '\AppData\Local\Temp\is-'
- '.tmp\'
Image|endswith: '.tmp'
filter_main_admin_software_installations:
Image|startswith: C:\Windows\Temp\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate Windows processes not currently listed
- Processes related to software installation
level: low
Convert to SIEM query
low
Local Accounts Discovery
Local accounts, System Owner/User discovery using operating systems utilities
view Sigma YAML
title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
- id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
- attack.discovery
- attack.t1033
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
selection_other_img:
- Image|endswith:
- '\whoami.exe'
- '\quser.exe'
- '\qwinsta.exe'
- OriginalFileName:
- 'whoami.exe'
- 'quser.exe'
- 'qwinsta.exe'
selection_other_wmi:
Image|endswith: '\wmic.exe'
CommandLine|contains|all:
- 'useraccount'
- 'get'
selection_other_cmdkey:
Image|endswith: '\cmdkey.exe'
CommandLine|contains: ' /l'
selection_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- ' /c'
- 'dir '
- '\Users\'
filter_cmd:
CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'user'
filter_net:
CommandLine|contains:
- '/domain' # local account discovery only
- '/add' # discovery only
- '/delete' # discovery only
- '/active' # discovery only
- '/expires' # discovery only
- '/passwordreq' # discovery only
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
- Legitimate administrator or user enumerates local users for legitimate reason
level: low
Convert to SIEM query
low
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
view Sigma YAML
title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
id: ea207a23-b441-4a17-9f76-ad5be47d51d3
status: test
description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
references:
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps
author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
date: 2023-07-13
tags:
- detection.threat-hunting
- attack.discovery
- attack.t1518.001
- attack.t1016
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_payload:
Payload|contains:
- 'Get-NetFirewallRule'
- 'Show-NetFirewallRule'
selection_contextinfo:
ContextInfo|contains:
- 'Get-NetFirewallRule'
- 'Show-NetFirewallRule'
condition: 1 of selection_*
falsepositives:
- Administration scripts
level: low
Convert to SIEM query
low
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
view Sigma YAML
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
view Sigma YAML
title: Local Groups Reconnaissance Via Wmic.EXE
id: 164eda96-11b2-430b-85ff-6a265c15bf32
status: test
description: |
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: ' group'
condition: all of selection*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
view Sigma YAML
title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
- https://my.f5.com/manage/s/article/K589
- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/lastlog'
selection_2:
CommandLine|contains: '''x:0:'''
selection_3:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
- '/less'
- '/emacs'
- '/sqlite3'
- '/makemap'
CommandLine|contains:
- '/etc/passwd'
- '/etc/shadow'
- '/etc/sudoers'
- '/etc/spwd.db'
- '/etc/pwd.db'
- '/etc/master.passwd'
selection_4:
Image|endswith: '/id'
selection_5:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
view Sigma YAML
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_2:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_3:
CommandLine|contains: '''x:0:'''
selection_4:
Image|endswith: '/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
Image|endswith: '/id'
selection_6:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
view Sigma YAML
title: Local User Creation
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
status: test
description: |
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
date: 2019-04-18
modified: 2021-01-17
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
condition: selection
falsepositives:
- Domain Controller Logs
- Local accounts managed by privileged account management tools
level: low
Convert to SIEM query
low
MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
view Sigma YAML
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
condition: selection
falsepositives:
- This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low
Convert to SIEM query
Showing 101-150 of 341