Home/Sigma rules
Sigma

Sigma detection rules

9 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

9 shown of 9
high
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
status test author Security Onion Solutions id e9856028-fd4e-46e6-b3d1-10f7ceb95078
view Sigma YAML 
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.discovery
    - attack.lateral-movement
    - attack.t1016
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 13001
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
status test author Craig Young, oscd.community, Georg Lauenstein id 5cc90652-4cbd-4241-aa3b-4b462fa5a248
view Sigma YAML 
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
    - id: 410ad193-a728-4107-bc79-4419789fcbf8
      type: similar
    - id: 903076ff-f442-475a-b667-4f246bcc203b
      type: similar
    - id: 77815820-246c-47b8-9741-e0def3f57308
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
    - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
    - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
    - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection_nltest:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    selection_recon:
        - CommandLine|contains|all:
              - 'server'
              - 'query'
        - CommandLine|contains:
              - '/user'
              - 'all_trusts' # Flag for /domain_trusts
              - 'dclist:'
              - 'dnsgetdc:'
              - 'domain_trusts'
              - 'dsgetdc:'
              - 'parentdomain'
              - 'trusted_domains'
    condition: all of selection_*
falsepositives:
    - Legitimate administration use but user and host must be investigated
level: medium
medium
Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
status test author Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) id edf3485d-dac4-4d50-90e4-b0e5813f7e60
view Sigma YAML 
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
      type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        - DestinationHostname:
              - 'www.ip.cn'
              - 'l2.io'
        - DestinationHostname|contains:
              - 'api.2ip.ua'
              - 'api.bigdatacloud.net'
              - 'api.ipify.org'
              - 'bot.whatismyipaddress.com'
              - 'canireachthe.net'
              - 'checkip.amazonaws.com'
              - 'checkip.dyndns.org'
              - 'curlmyip.com'
              - 'db-ip.com'
              - 'edns.ip-api.com'
              - 'eth0.me'
              - 'freegeoip.app'
              - 'geoipy.com'
              - 'getip.pro'
              - 'icanhazip.com'
              - 'ident.me'
              - 'ifconfig.io'
              - 'ifconfig.me'
              - 'ip-api.com'
              - 'ip.360.cn'
              - 'ip.anysrc.net'
              - 'ip.taobao.com'
              - 'ip.tyk.nu'
              - 'ipaddressworld.com'
              - 'ipapi.co'
              - 'ipconfig.io'
              - 'ipecho.net'
              - 'ipinfo.io'
              - 'ipip.net'
              - 'ipof.in'
              - 'ipv4.icanhazip.com'
              - 'ipv4bot.whatismyipaddress.com'
              - 'ipv6-test.com'
              - 'ipwho.is'
              - 'jsonip.com'
              - 'myexternalip.com'
              - 'seeip.org'
              - 'wgetip.com'
              - 'whatismyip.akamai.com'
              - 'whois.pconline.com.cn'
              - 'wtfismyip.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
low
Cisco Discovery
Find information about network devices that is not stored in config files
status test author Austin Clark id 9705a6a1-6db6-4a16-a987-15b7151e299b
view Sigma YAML 
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'dir'
        - 'show arp'
        - 'show cdp'
        - 'show clock'
        - 'show ip interface'
        - 'show ip route'
        - 'show ip sockets'
        - 'show processes'
        - 'show ssh'
        - 'show users'
        - 'show version'
    condition: keywords
falsepositives:
    - Commonly used by administrators for troubleshooting
level: low
low
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status test author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' id 0e4164da-94bc-450d-a7be-a4b176179f1f
view Sigma YAML 
title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
    - https://ss64.com/nt/netsh.html
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-18
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'netsh'
            - 'show '
            - 'firewall '
        CommandLine|contains:
            - 'config '
            - 'state '
            - 'rule '
            - 'name=all'
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: low
low
Nltest.EXE Execution
Detects nltest commands that can be used for information discovery
status test author Arun Chauhan id 903076ff-f442-475a-b667-4f246bcc203b
view Sigma YAML 
title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author: Arun Chauhan
date: 2023-02-03
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1018
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    condition: selection
falsepositives:
    - Legitimate administration activity
level: low
low
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status test author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' id a29c1813-ab1f-4dde-b489-330b952e91ae
view Sigma YAML 
title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re:
            - 'ipconfig\s+/all'
            - 'netsh\s+interface show interface'
            - 'arp\s+-a'
            - 'nbtstat\s+-n'
            - 'net\s+config'
            - 'route\s+print'
    condition: selection
falsepositives:
    - Administrator, hotline ask to user
level: low
informational
System Network Discovery - Linux
Detects enumeration of local network configuration
status test author Ömer Günal and remotephone, oscd.community id e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
view Sigma YAML 
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/firewall-cmd'
            - '/ufw'
            - '/iptables'
            - '/netstat'
            - '/ss'
            - '/ip'
            - '/ifconfig'
            - '/systemd-resolve'
            - '/route'
    selection_cli:
        CommandLine|contains: '/etc/resolv.conf'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: informational
informational
System Network Discovery - macOS
Detects enumeration of local network configuration
status test author remotephone, oscd.community id 58800443-f9fc-4d55-ae0c-98a3966dfb97
view Sigma YAML 
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
    - attack.discovery
    - attack.t1016
logsource:
    product: macos
    category: process_creation
detection:
    selection_1:
        Image|endswith:
            - '/arp'
            - '/ifconfig'
            - '/netstat'
            - '/networksetup'
            - '/socketfilterfw'
    selection_2:
        Image: '/usr/bin/defaults'
        CommandLine|contains|all:
            - '/Library/Preferences/com.apple.alf'
            - 'read'
    filter_main_wifivelocityd:
        ParentImage|endswith: '/wifivelocityd'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate administration activities
level: informational
Showing 1-9 of 9
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin