Home/Sigma rules
Sigma

Sigma detection rules

4 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

4 shown of 4
high
Python One-Liners with Base64 Decoding
Detects Python one-liners that use base64 decoding functions in command line executions. Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
status experimental author Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) id 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
view Sigma YAML 
title: Python One-Liners with Base64 Decoding
id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
related:
    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
      type: similar
status: experimental
description: |
    Detects Python one-liners that use base64 decoding functions in command line executions.
    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.006
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\python'
        - OriginalFileName|contains: 'python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
high
Python One-Liners with Base64 Decoding - Linux
Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
status experimental author Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) id 55e862a8-dd9c-4651-807a-f21fcad56716
view Sigma YAML 
title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
      type: similar
status: experimental
description: |
    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.006
    - attack.t1027.010
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|contains: '/python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
medium
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
status test author Pushkarev Dmitry id 401e5d00-b944-11ea-8f9a-00163ecd60ae
view Sigma YAML 
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
    Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.006
    - attack.t1059.007
logsource:
    product: windows
    service: applocker
detection:
    selection:
        EventID:
            - 8004 # EXE and DLL
            - 8007 # MSI and Script
            - 8022 # Packaged app execution
            - 8025 # Packaged app deployment
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
medium
Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
status test author Markus Neis, Sander Wiebing id 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
view Sigma YAML 
title: Suspicious File Characteristics Due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
status: test
description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
references:
    - https://securelist.com/muddywater/88059/
    - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018-11-22
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        Description: '\?'
        FileVersion: '\?'
    selection2:
        Description: '\?'
        Product: '\?'
    selection3:
        Description: '\?'
        Company: '\?'
    folder:
        Image|contains: '\Downloads\'
    condition: (selection1 or selection2 or selection3) and folder
falsepositives:
    - Unknown
level: medium
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin