Home/Sigma rules
Sigma

Sigma detection rules

19 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

19 shown of 19
high
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id d557dc06-62e8-4468-a8e8-7984124908ce
view Sigma YAML 
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high
high
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
status test author Swachchhanda Shrawan Poudel id 851fd622-b675-4d26-b803-14bc7baa517a
view Sigma YAML 
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
high
HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
status test author Georg Lauenstein (sure[secure]) id 98b53e78-ebaf-46f8-be06-421aafd176d9
view Sigma YAML 
title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
    - https://github.com/carlospolop/PEASS-ng
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1082
    - attack.t1087
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'winPEAS.exe'
        - Image|endswith:
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
    selection_cli_option:
        CommandLine|contains:
            - ' applicationsinfo' # Search installed applications information
            - ' browserinfo' # Search browser information
            - ' eventsinfo' # Display interesting events information
            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
            - ' filesinfo' # Search generic files that can contains credentials
            - ' processinfo' # Search processes information
            - ' servicesinfo' # Search services information
            - ' windowscreds' # Search windows credentials
    selection_cli_dl:
        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
    selection_cli_specific:
        - ParentCommandLine|endswith: ' -linpeas'
        - CommandLine|endswith: ' -linpeas'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
high
OpenCanary - Host Port Scan (SYN Scan)
Detects instances where an OpenCanary node has been targeted by a SYN port scan.
status experimental author Marco Pedrinazzi (@pedrinazziM) id 974be8d2-283e-4033-ab08-7505b84204d0
view Sigma YAML 
title: OpenCanary - Host Port Scan (SYN Scan)
id: 974be8d2-283e-4033-ab08-7505b84204d0
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a SYN port scan.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - NMAP FIN Scan
Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) id eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
view Sigma YAML 
title: OpenCanary - NMAP FIN Scan
id: eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5005
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - NMAP NULL Scan
Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) id 68b8547b-107f-43f3-97fb-900a7d63c190
view Sigma YAML 
title: OpenCanary - NMAP NULL Scan
id: 68b8547b-107f-43f3-97fb-900a7d63c190
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5003
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - NMAP OS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) id e8a677fd-248c-4eab-94df-de2f6f645884
view Sigma YAML 
title: OpenCanary - NMAP OS Scan
id: e8a677fd-248c-4eab-94df-de2f6f645884
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5002
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - NMAP XMAS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
status experimental author Marco Pedrinazzi (@pedrinazziM) id d7553d7b-f485-479c-b192-cdac6edd83a4
view Sigma YAML 
title: OpenCanary - NMAP XMAS Scan
id: d7553d7b-f485-479c-b192-cdac6edd83a4
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5004
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
status test author @ROxPinTeddy id fed85bf9-e075-4280-9159-fbe8a023d6fa
view Sigma YAML 
title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
      type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
    condition: selection
falsepositives:
    - Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
medium
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
status test author Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy id bef37fa2-f205-4a7b-b484-0759bfd5f86f
view Sigma YAML 
title: PUA - Advanced IP Scanner Execution
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
date: 2020-05-12
modified: 2023-02-07
tags:
    - attack.discovery
    - attack.t1046
    - attack.t1135
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
        - OriginalFileName|contains: 'advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
        - Description|contains: 'Advanced IP Scanner'
    selection_cli:
        CommandLine|contains|all:
            - '/portable'
            - '/lng'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml
medium
PUA - Advanced Port Scanner Execution
Detects the use of Advanced Port Scanner.
status test author Nasreddine Bencherchali (Nextron Systems) id 54773c5f-f1cc-4703-9126-2f797d96a69d
view Sigma YAML 
title: PUA - Advanced Port Scanner Execution
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: test
description: Detects the use of Advanced Port Scanner.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-07
tags:
    - attack.discovery
    - attack.t1046
    - attack.t1135
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\advanced_port_scanner'
        - OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
        - Description|contains: 'Advanced Port Scanner'
    selection_cli:
        CommandLine|contains|all:
            - '/portable'
            - '/lng'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrative use
    - Tools with similar commandline (very rare)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml
medium
PUA - NimScan Execution
Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
status test author Swachchhanda Shrawan Poudel (Nextron Systems) id 4fd6b1c7-19b8-4488-97f6-00f0924991a3
view Sigma YAML 
title: PUA - NimScan Execution
id: 4fd6b1c7-19b8-4488-97f6-00f0924991a3
status: test
description: |
    Detects usage of NimScan, a portscanner utility.
    In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
    This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
references:
    - https://x.com/cyberfeeddigest/status/1887041526397587859
    - https://github.com/elddy/NimScan
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null
        - Hashes|contains:
              - 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8
              - 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6
              - 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2
    condition: selection
falsepositives:
    - Legitimate administrator activity
level: medium
medium
PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
status test author frack113 id f6ecd1cf-19b8-4488-97f6-00f0924991a3
view Sigma YAML 
title: PUA - Nmap/Zenmap Execution
id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
status: test
description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
references:
    - https://nmap.org/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
author: frack113
date: 2021-12-10
modified: 2023-12-11
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\nmap.exe'
              - '\zennmap.exe'
        - OriginalFileName:
              - 'nmap.exe'
              - 'zennmap.exe'
    condition: selection
falsepositives:
    - Legitimate administrator activity
level: medium
medium
PUA - SoftPerfect Netscan Execution
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
status test author @d4ns4n_ (Wuerth-Phoenix) id ca387a8e-1c84-4da3-9993-028b45342d30
view Sigma YAML 
title: PUA - SoftPerfect Netscan Execution
id: ca387a8e-1c84-4da3-9993-028b45342d30
status: test
description: |
    Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
    It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
references:
    - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
    - https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
    - https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
    - https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
    - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
    - https://www.softperfect.com/products/networkscanner/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-04-25
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\netscan.exe'
        - Product: 'Network Scanner'
        - Description: 'Application for scanning networks'
    condition: selection
falsepositives:
    - Legitimate administrator activity
level: medium
medium
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
status test author David Burkett (@signalblur) id 97de11cd-4b67-4abf-9a8b-1020e670aa9e
view Sigma YAML 
title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
    - https://regex101.com/r/RugQYK/1
    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Python Initiated Connection
Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
status test author frack113 id bef0bc5a-b9ae-425d-85c6-7b2d705980c6
view Sigma YAML 
title: Python Initiated Connection
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
status: test
description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
    - https://pypi.org/project/scapy/
author: frack113
date: 2021-12-10
modified: 2025-03-05
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: network_connection
    product: windows
    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
detection:
    selection:
        Initiated: 'true'
        Image|contains|all:
            - '\python'
            - '.exe'
    filter_optional_conda:
        # Related to anaconda updates. Command example: "conda update conda"
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
        CommandLine|contains|all:
            - ':\ProgramData\Anaconda3\Scripts\conda-script.py'
            - 'update'
    filter_optional_conda_jupyter_notebook:
        # Related to anaconda opening an instance of Jupyter Notebook
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\python.exe
        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
    filter_main_local_communication:
        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
        DestinationIp: 127.0.0.1
        SourceIp: 127.0.0.1
    filter_main_pip:
        CommandLine|contains|all:
            - 'pip.exe'
            - 'install'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
level: medium
low
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
status test author Alejandro Ortuno, oscd.community id 3761e026-f259-44e6-8826-719ed8079408
view Sigma YAML 
title: Linux Network Service Scanning - Auditd
id: 3761e026-f259-44e6-8826-719ed8079408
related:
    - id: 3e102cd9-a70d-4a7a-9508-403963092f31
      type: derived
status: test
description: Detects enumeration of local or remote network services.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-09-26
tags:
    - attack.discovery
    - attack.t1046
logsource:
    product: linux
    service: auditd
    definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
detection:
    selection:
        type: 'SYSCALL'
        exe|endswith:
            - '/telnet'
            - '/nmap'
            - '/netcat'
            - '/nc'
            - '/ncat'
            - '/nc.openbsd'
        key: 'network_connect_4'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
low
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
status test author Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) id 3e102cd9-a70d-4a7a-9508-403963092f31
view Sigma YAML 
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
    - https://github.com/projectdiscovery/naabu
    - https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: linux
detection:
    selection_netcat:
        Image|endswith:
            - '/nc'
            - '/ncat'
            - '/netcat'
            - '/socat'
    selection_network_scanning_tools:
        Image|endswith:
            - '/autorecon'
            - '/hping'
            - '/hping2'
            - '/hping3'
            - '/naabu'
            - '/nmap'
            - '/nping'
            - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
            - '/zenmap'
    filter_main_netcat_listen_flag:
        CommandLine|contains:
            - ' --listen '
            - ' -l '
    condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
    - Legitimate administration activities
level: low
low
MacOS Network Service Scanning
Detects enumeration of local or remote network services.
status test author Alejandro Ortuno, oscd.community id 84bae5d4-b518-4ae0-b331-6d4afd34d00f
view Sigma YAML 
title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: macos
detection:
    selection_1:
        Image|endswith:
            - '/nc'
            - '/netcat'
    selection_2:
        Image|endswith:
            - '/nmap'
            - '/telnet'
    filter:
        CommandLine|contains: 'l'
    condition: (selection_1 and not filter) or selection_2
falsepositives:
    - Legitimate administration activities
level: low
Showing 1-19 of 19
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin