Home/Sigma rules
Sigma

Sigma detection rules

3 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

3 shown of 3
high
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
status test author Igor Fits, oscd.community id c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
view Sigma YAML 
title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
    This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: linux
    service: auditd
detection:
    selection_execve:
        type: 'EXECVE'
    keywords_truncate:
        '|all':
            - 'truncate'
            - '-s'
    keywords_dd:
        '|all':
            - 'dd'
            - 'if='
    keywords_filter:
        - 'of='
    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
    - Unknown
level: high
simulation:
    - type: atomic-red-team
      name: Pad Binary to Change Hash - Linux/macOS dd
      technique: T1027.001
      atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
high
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
status test author Igor Fits, Mikhail Larin, oscd.community id 95361ce5-c891-4b0a-87ca-e24607884a96
view Sigma YAML 
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
    - https://linux.die.net/man/1/truncate
    - https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_truncate:
        Image|endswith: '/truncate'
        CommandLine|contains: '-s +'
    selection_dd:
        Image|endswith: '/dd'
        CommandLine|contains:
            - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
            - 'if=/dev/random' # high-quality random data
            - 'if=/dev/urandom' # low-quality random data
    condition: 1 of selection_*
falsepositives:
    - Legitimate script work
level: high
informational
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
status stable author Thomas Patzke id 470ec5fa-7b4e-4071-b200-4c753100f49b
view Sigma YAML 
title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: |
    Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
author: Thomas Patzke
date: 2019-12-03
modified: 2025-01-19
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 5038
            - 6281
    filter_optional_crowdstrike:
        param1|contains:
            - '\CSFalconServiceUninstallTool_'
            - '\Program Files\CrowdStrike\'
            - '\System32\drivers\CrowdStrike\'
            - '\Windows\System32\ScriptControl64_'
    filter_optional_sophos:
        param1|contains: '\Program Files\Sophos\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Disk device errors
level: informational
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin