Sigma detection rules

Home/Sigma rules

Sigma

13 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

13 shown of 13

high

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

status test author Cedric MAURUGEON id 0a1f9d29-6465-4776-b091-7f43b26e4c89

view Sigma YAML

title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: ':\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
    filter_main_svchost:
        Image|endswith: ':\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

high

Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

status test author Ilya Krestinichev id 54786ddc-5b8a-11ed-9b6a-0242ac120002

view Sigma YAML

title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
        CommandLine|contains|windash: ' -n '
    selection_nul:
        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
    selection_del_param:
        CommandLine|contains|windash:
            - ' -f '
            - ' -q '
    selection_all:
        CommandLine|contains|all:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'del '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

medium

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

status test author Nasreddine Bencherchali (Nextron Systems) id 3109530e-ab47-4cc6-a953-cac5ebcc93ae

view Sigma YAML

title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium

medium

Backup Catalog Deleted

Detects backup catalog deletions

status test author Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) id 9703792d-fd9a-456d-a672-ff92efe4806a

view Sigma YAML

title: Backup Catalog Deleted
id: 9703792d-fd9a-456d-a672-ff92efe4806a
status: test
description: Detects backup catalog deletions
references:
    - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)
date: 2017-05-12
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    service: application
detection:
    selection:
        EventID: 524
        Provider_Name: Microsoft-Windows-Backup
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Cisco File Deletion

See what files are being deleted from flash file systems

status test author Austin Clark id 71d65515-c436-43c0-841b-236b1f32c21e

view Sigma YAML

title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070.004
    - attack.t1561.001
    - attack.t1561.002
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'erase'
        - 'delete'
        - 'format'
    condition: keywords
falsepositives:
    - Will be used sometimes by admins to clean up local flash space
level: medium

medium

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 6ddab845-b1b8-49c2-bbf7-1a11967f64bc

view Sigma YAML

title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith:
            - '.AAA'
            - '.ZZZ'
    filter_wireshark:
        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate usage
level: medium

medium

Greedy File Deletion Using Del

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

status test author frack113 , X__Junior (Nextron Systems) id 204b17ae-4007-471b-917b-b917b315c5db

view Sigma YAML

title: Greedy File Deletion Using Del
id: 204b17ae-4007-471b-917b-b917b315c5db
status: test
description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
references:
    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113 , X__Junior (Nextron Systems)
date: 2021-12-02
modified: 2023-09-11
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example:
    #   del C:\ProgramData\*.dll & exit
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_extensions:
        CommandLine|contains:
            - '\\\*.au3'
            - '\\\*.dll'
            - '\\\*.exe'
            - '\\\*.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

medium

Potential Secure Deletion with SDelete

Detects files that have extensions commonly seen while SDelete is used to wipe files.

status test author Thomas Patzke id 39a80702-d7ca-4a83-b776-525b1f86a36d

view Sigma YAML

title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
    - attack.impact
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070.004
    - attack.t1027.005
    - attack.t1485
    - attack.t1553.002
    - attack.s0195
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection
falsepositives:
    - Legitimate usage of SDelete
    - Files that are interacted with that have these extensions legitimately
level: medium

medium

Potentially Suspicious Ping/Copy Command Combination

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

status test author X__Junior (Nextron Systems) id ded2b07a-d12f-4284-9b76-653e37b6c8b0

view Sigma YAML

title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    selection_cmd:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_action:
        CommandLine|contains|all:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'copy '
    selection_cli_1:
        CommandLine|contains|windash: ' -n ' # Count
    selection_cli_2:
        CommandLine|contains|windash: ' -y '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

low

Directory Removal Via Rmdir

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

status test author frack113 id 41ca393d-538c-408a-ac27-cf1e038be80c

view Sigma YAML

title: Directory Removal Via Rmdir
id: 41ca393d-538c-408a-ac27-cf1e038be80c
status: test
description: |
    Detects execution of the builtin "rmdir" command in order to delete directories.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2023-03-07
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_rmdir:
        CommandLine|contains: 'rmdir'
    selection_flags:
        CommandLine|contains:
            - '/s'
            - '/q'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml

low

File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

status test author frack113 id 379fa130-190e-4c3f-b7bc-6c8e834485f3

view Sigma YAML

title: File Deletion Via Del
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: test
description: |
    Detects execution of the builtin "del"/"erase" commands in order to delete files.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_flags:
        CommandLine|contains|windash:
            - ' -f' # Force deleting of read-only files.
            - ' -s' # Delete specified files from all subdirectories.
            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
    condition: all of selection_*
falsepositives:
    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
level: low

low

TeamViewer Log File Deleted

Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence

status test author frack113 id b1decb61-ed83-4339-8e95-53ea51901720

view Sigma YAML

title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: '\TeamViewer_'
        TargetFilename|endswith: '.log'
    filter:
        Image: C:\Windows\system32\svchost.exe
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

informational

File Deletion

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

status stable author Ömer Günal, oscd.community id 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57

view Sigma YAML

title: File Deletion
id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
status: stable
description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/rm'     # covers /rmdir as well
            - '/shred'
            - '/unlink'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: informational

Showing 1-13 of 13

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin