Home/Sigma rules
Sigma

Sigma detection rules

8 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

8 shown of 8
high
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
status experimental author Ivan Saakov id 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
view Sigma YAML 
title: Modification or Deletion of an AWS RDS Cluster
id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
status: experimental
description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
references:
    - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
    - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
author: Ivan Saakov
date: 2024-12-06
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: rds.amazonaws.com
        eventName:
            - ModifyDBCluster
            - DeleteDBCluster
    condition: selection
falsepositives:
    - Verify if the modification or deletion was performed by an authorized administrator.
    - Confirm if the modification or deletion was part of a planned change or maintenance activity.
level: high
high
Restore Public AWS RDS Instance
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
status test author faloker id c3f265c7-ff03-4056-8ab2-d486227b4599
view Sigma YAML 
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: test
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.publiclyAccessible: 'true'
        eventName: RestoreDBInstanceFromDBSnapshot
    condition: selection_source
falsepositives:
    - Unknown
level: high
medium
AWS RDS Master Password Change
Detects the change of database master password. It may be a part of data exfiltration.
status test author faloker id 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
view Sigma YAML 
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-05
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
        eventName: ModifyDBInstance
    condition: selection_source
falsepositives:
    - Benign changes to a db instance
level: medium
medium
Github Fork Private Repositories Setting Enabled/Cleared
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
status test author Romain Gaillard (@romain-gaillard) id 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
view Sigma YAML 
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1020
    - attack.t1537
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: medium
medium
Github Repository/Organization Transferred
Detects when a repository or an organization is being transferred to another location.
status test author Romain Gaillard (@romain-gaillard) id 04ad83ef-1a37-4c10-b57a-81092164bf33
view Sigma YAML 
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
    - https://docs.github.com/en/migrations
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1020
    - attack.t1537
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
            - 'org.transfer' # An organization was transferred between enterprise accounts.
            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: medium
medium
PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
status test author Nasreddine Bencherchali (Nextron Systems) id fbc5e92f-3044-4e73-a5c6-1c4359b539de
view Sigma YAML 
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
    - https://www.fortypoundhead.com/showcontent.asp?artid=24022
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-content '
            - 'foreach'
            - '[System.Net.Dns]::GetHostEntry'
            - 'Out-File'
    condition: selection
falsepositives:
    - The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
low
PowerShell Script With File Upload Capabilities
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
status test author frack113 id d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
view Sigma YAML 
title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: test
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2025-07-18
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
    selection_flag:
        ScriptBlockText|contains:
            - '-Method "POST"'
            - '-Method "PUT"'
            - '-Method POST'
            - '-Method PUT'
            - "-Method 'POST'"
            - "-Method 'PUT'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
low
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
status test author Austin Songer @austinsonger id 6c220477-0b5b-4b25-bb90-66183b4089e8
view Sigma YAML 
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: test
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-22
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Suspicious inbox forwarding'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: low
Showing 1-8 of 8
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin