Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
medium
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
status test author Igor Fits, Mikhail Larin, oscd.community id 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
view Sigma YAML 
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains:
            - '-t'
            - '-acmr'
            - '-d'
            - '-r'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
status test author Igor Fits, oscd.community id b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
view Sigma YAML 
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: 'EXECVE'
    touch:
        - 'touch'
    selection2:
        - '-t'
        - '-acmr'
        - '-d'
        - '-r'
    condition: execve and touch and selection2
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: Set a file's access timestamp
      technique: T1070.006
      atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
    - type: atomic-red-team
      name: Set a file's modification timestamp
      technique: T1070.006
      atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
    - type: atomic-red-team
      name: Modify file timestamps using reference file
      technique: T1070.006
      atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
medium
Powershell Timestomp
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
status test author frack113 id c6438007-e081-42ce-9483-b067fbef33c3
view Sigma YAML 
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
    Adversaries may modify file time attributes to hide new or changes to existing files.
    Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
    - https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_ioc:
        ScriptBlockText|contains:
            - '.CreationTime ='
            - '.LastWriteTime ='
            - '.LastAccessTime ='
            - '[IO.File]::SetCreationTime'
            - '[IO.File]::SetLastAccessTime'
            - '[IO.File]::SetLastWriteTime'
    condition: selection_ioc
falsepositives:
    - Legitimate admin script
level: medium
medium
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id 31545105-3444-4584-bebf-c466353230d2
view Sigma YAML 
title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains: ' -t '
        CommandLine|endswith: '.service'
    condition: selection
falsepositives:
    - Admin changing date of files.
level: medium
low
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
status test author @neu5ron id faa031b5-21ed-4e02-8881-2591f98d82ed
view Sigma YAML 
title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
    - Live environment caused by malware
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
    selection:
        EventID: 4616
    filter_main_svchost:
        ProcessName: 'C:\Windows\System32\svchost.exe'
        SubjectUserSid: 'S-1-5-19'
    filter_optional_vmtools:
        ProcessName:
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Windows\System32\VBoxService.exe'
            - 'C:\Windows\System32\oobe\msoobe.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin