Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
high
HackTool - PCHunter Execution
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali id fca949cc-79ca-446e-8064-01aa7e52ece5
view Sigma YAML 
title: HackTool - PCHunter Execution
id: fca949cc-79ca-446e-8064-01aa7e52ece5
status: test
description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
references:
    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/
    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2024-11-23
tags:
    - attack.execution
    - attack.discovery
    - attack.t1082
    - attack.t1057
    - attack.t1012
    - attack.t1083
    - attack.t1007
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        Image|endswith:
            - '\PCHunter64.exe'
            - '\PCHunter32.exe'
    selection_pe:
        - OriginalFileName: 'PCHunter.exe'
        - Description: 'Epoolsoft Windows Information View Tools'
    selection_hashes:
        Hashes|contains:
            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
medium
Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id ccb5742c-c248-4982-8c5c-5571b9275ad3
view Sigma YAML 
title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
    - attack.discovery
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
            - 'ipconfig*|*find'
            - 'net*|*find'
            - 'netstat*|*find'
            - 'ping*|*find'
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
    filter_optional_xampp:
        CommandLine|contains|all:
            - 'cmd.exe /c TASKLIST /V |'
            - 'FIND /I'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml
low
Cisco Discovery
Find information about network devices that is not stored in config files
status test author Austin Clark id 9705a6a1-6db6-4a16-a987-15b7151e299b
view Sigma YAML 
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'dir'
        - 'show arp'
        - 'show cdp'
        - 'show clock'
        - 'show ip interface'
        - 'show ip route'
        - 'show ip sockets'
        - 'show processes'
        - 'show ssh'
        - 'show users'
        - 'show version'
    condition: keywords
falsepositives:
    - Commonly used by administrators for troubleshooting
level: low
low
Suspicious Process Discovery With Get-Process
Get the processes that are running on the local computer.
status test author frack113 id af4c87ce-bdda-4215-b998-15220772e993
view Sigma YAML 
title: Suspicious Process Discovery With Get-Process
id: af4c87ce-bdda-4215-b998-15220772e993
status: test
description: Get the processes that are running on the local computer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1057
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-Process
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
low
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
status experimental author Milad Cheraghi id b207d563-a1d9-4275-b349-77d1eb55aa6d
view Sigma YAML 
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
    - attack.discovery
    - attack.t1057
    - attack.t1082
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'sysinfo'
    filter_optional_splunk:
        exe|endswith: '/bin/splunkd'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative activity
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin