Home/Sigma rules
Sigma

Sigma detection rules

8 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

8 shown of 8
high
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id 60fc936d-2eb0-4543-8a13-911c750a1dfc
view Sigma YAML 
title: Interactive AT Job
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
status: test
description: Detects an interactive AT job, which may be used as a form of privilege escalation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
    - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1053.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\at.exe'
        CommandLine|contains: 'interactive'
    condition: selection
falsepositives:
    - Unlikely (at.exe deprecated as of Windows 8)
level: high
simulation:
    - type: atomic-red-team
      name: At.exe Scheduled task
      technique: T1053.002
      atomic_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
high
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
status test author Sagie Dulce, Dekel Paz id 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
        OpNum:
            - 0
            - 1
    condition: selection
falsepositives:
    - Unknown
level: high
high
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
status test author Sagie Dulce, Dekel Paz id ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.lateral-movement
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
        OpNum:
            - 1
            - 3
            - 4
            - 10
            - 11
            - 12
            - 13
            - 14
            - 15
    condition: selection
falsepositives:
    - Unknown
level: high
high
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
status test author Sagie Dulce, Dekel Paz id aff229ab-f8cd-447b-b215-084d11e79eb0
view Sigma YAML 
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
        OpNum:
            - 0
            - 1
    condition: selection
falsepositives:
    - Unknown
level: high
medium
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
status test author @neu5ron, SOC Prime id b640c0b8-87f8-4daa-aef8-95a24261dd1d
view Sigma YAML 
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053.002
    - attack.t1569.002
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium
medium
Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
status test author Samir Bousseaden id f6de6525-4509-495a-8a82-1f8b0ed73a00
view Sigma YAML 
title: Remote Task Creation via ATSVC Named Pipe
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: atsvc
        AccessList|contains: 'WriteData'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Remote Task Creation via ATSVC Named Pipe - Zeek
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
status test author Samir Bousseaden, @neu5rn id dde85b37-40cd-4a94-b00c-0b8794f956b5
view Sigma YAML 
title: Remote Task Creation via ATSVC Named Pipe - Zeek
id: dde85b37-40cd-4a94-b00c-0b8794f956b5
related:
    - id: f6de6525-4509-495a-8a82-1f8b0ed73a00
      type: derived
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: 'Samir Bousseaden, @neu5rn'
date: 2020-04-03
modified: 2022-12-27
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\*\IPC$'
        name: 'atsvc'
        # Accesses: '*WriteData*'
    condition: selection
falsepositives:
    - Unknown
level: medium
low
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
status stable author Ömer Günal, oscd.community id d2d642d7-b393-43fe-bae4-e81ed5915c4b
view Sigma YAML 
title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
  Detects the use of at/atd which are utilities that are used to schedule tasks.
  They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/at'
            - '/atd'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
Showing 1-8 of 8
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin