Home/Sigma rules
Sigma

Sigma detection rules

8 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

8 shown of 8
high
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
status test author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) id 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
view Sigma YAML 
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
    - https://twitter.com/aceresponder/status/1636116096506818562
    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1048.003
    - cve.2023-23397
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        ParentCommandLine|contains: '-s WebClient'
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
    filter_local_ips:
        CommandLine|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
medium
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
status test author Pawel Mazur id cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
view Sigma YAML 
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
    Detects attempts to post the file with the usage of wget utility.
    The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
    - https://linux.die.net/man/1/wget
    - https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: wget
        a1|startswith: '--post-file='
    condition: selection
falsepositives:
    - Legitimate usage of wget utility to post a file
level: medium
medium
PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
status test author Bartlomiej Czyz @bczyz1, oscd.community id 4c4af3cd-2115-479c-8193-6b8bfce9001c
view Sigma YAML 
title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: test
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020-10-10
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'System.Net.NetworkInformation.Ping'
            - '.Send('
    condition: selection
falsepositives:
    - Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium
medium
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
status experimental author Mohamed LAKRI id 3f0f5957-04f8-4792-ad89-192b0303bde6
view Sigma YAML 
title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
    Detects the execution of Python web servers via command line interface (CLI).
    After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
    This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
    - https://docs.python.org/3/library/http.server.html
    - https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_module:
        CommandLine|contains:
            - 'http.server'
            - 'SimpleHTTPServer'
    condition: all of selection_*
falsepositives:
    - Testing or development activity
level: medium
medium
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
status test author Florian Roth (Nextron Systems) id 4153a907-2451-4e4f-a578-c52bb6881432
view Sigma YAML 
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
    - https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1048.003
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        query|contains: '==.'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Suspicious Outbound SMTP Connections
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
status test author frack113 id 9976fa64-2804-423c-8a5b-646ade840773
view Sigma YAML 
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
    The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Other SMTP tools
level: medium
medium
WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
view Sigma YAML 
title: WebDav Client Execution Via Rundll32.EXE
id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
status: test
description: |
    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
    This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\svchost.exe'
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
low
WebDav Put Request
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 705072a5-bb6f-4ced-95b6-ecfa6602090b
view Sigma YAML 
title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low
Showing 1-8 of 8
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin