Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
medium
Bitbucket Global SSH Settings Changed
Detects Bitbucket global SSH access configuration changes.
status test author Muhammad Faisal (@faisalusuf) id 16ab6143-510a-44e2-a615-bdb80b8317fc
view Sigma YAML 
title: Bitbucket Global SSH Settings Changed
id: 16ab6143-510a-44e2-a615-bdb80b8317fc
status: test
description: Detects Bitbucket global SSH access configuration changes.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1685
    - attack.t1021.004
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Global administration'
        auditType.action: 'SSH settings changed'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: medium
medium
Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
status test author Muhammad Faisal (@faisalusuf) id d3f90469-fb05-42ce-b67d-0fded91bbef3
view Sigma YAML 
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
    Detects SSH user login access failures.
    Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.lateral-movement
    - attack.credential-access
    - attack.t1021.004
    - attack.t1110
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Authentication'
        auditType.action: 'User login failed(SSH)'
    condition: selection
falsepositives:
    - Legitimate user wrong password attempts.
level: medium
medium
OpenEDR Spawning Command Shell
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
status experimental author @kostastsale id 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
view Sigma YAML 
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.execution
    - attack.t1059.003
    - attack.lateral-movement
    - attack.t1021.004
    - attack.command-and-control
    - attack.t1219
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        ParentImage|endswith: '\ITSMService.exe'
        Image|endswith: '\ssh-shellhost.exe'
        CommandLine|contains: '--pty'
    selection_cli_shell:
        CommandLine|contains:
            - 'bash'
            - 'cmd'
            - 'powershell'
            - 'pwsh'
    condition: all of selection_*
falsepositives:
    - Legitimate use of OpenEDR for remote command execution
level: medium
medium
OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
status test author mdecrevoisier id 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
view Sigma YAML 
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
    - https://winaero.com/enable-openssh-server-windows-10/
    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
    - attack.lateral-movement
    - attack.t1021.004
logsource:
    product: windows
    service: openssh
detection:
    selection:
        EventID: 4
        process: sshd
        payload|startswith: 'Server listening on '
    condition: selection
falsepositives:
    - Legitimate administrator activity
level: medium
medium
Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
status test author Nasreddine Bencherchali (Nextron Systems) id 327f48c1-a6db-4eb8-875a-f6981f1b0183
view Sigma YAML 
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1572
    - attack.t1021.001
    - attack.t1021.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ssh.exe'
        CommandLine|contains|windash: ' -R '
    condition: selection
falsepositives:
    - Administrative activity using a remote port forwarding to a local port
level: medium
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin