Home/Sigma rules
Sigma

Sigma detection rules

10 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

10 shown of 10
critical
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id 2975af79-28c4-4d2f-a951-9095f229df29
view Sigma YAML 
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection1:
        query|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        query|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
status test author Alina Stepchenkova, Group-IB, oscd.community id 3ceb2083-a27f-449a-be33-14ec1b7cc973
view Sigma YAML 
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
    - attack.execution
    - attack.t1059.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1572
    - attack.impact
    - attack.t1529
    - attack.g0091
    - attack.s0363
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    empire:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
falsepositives:
    - Unknown
level: critical
critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Nasreddine Bencherchali (Nextron Systems) id 0d18728b-f5bf-4381-9dcf-915539fff6c2
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.t1071.004
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
falsepositives:
    - Unknown
level: critical
critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id f356a9c4-effd-4608-bbf8-408afd5cd006
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
high
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
status test author Daniil Yugoslavskiy, oscd.community id 98a96a5a-64a0-4c42-92c5-489da3866cb0
view Sigma YAML 
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
    - https://github.com/iagox86/dnscat2
    - https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1048.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1132.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\iodine.exe'
        - Image|contains: '\dnscat2'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id c082c2b0-525b-4dbc-9a26-a57dc4692074
view Sigma YAML 
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
      type: similar
    - id: af491bca-e752-4b44-9c86-df5680533dbc
      type: similar
status: experimental
description: |
    Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
    Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.execution
    - attack.t1059.003
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
status test author Markus Neis id 8ae51330-899c-4641-8125-e39f2e07da72
view Sigma YAML 
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        record_type: 'TXT'
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Network Connection Initiated via Finger.EXE
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 2fdaf50b-9fd5-449f-ba69-f17248119af6
view Sigma YAML 
title: Network Connection Initiated via Finger.EXE
id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
related:
    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074
      type: similar
    - id: af491bca-e752-4b44-9c86-df5680533dbc
      type: similar
status: experimental
description: |
    Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
    Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
references:
    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.execution
    - attack.t1059.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
status experimental author Ahmed Nosir (@egycondor) id f8c1e80b-c73a-476a-ae24-6c72528b1521
view Sigma YAML 
title: DNS Query To Common Malware Hosting and Shortener Services
id: f8c1e80b-c73a-476a-ae24-6c72528b1521
status: experimental
description: |
    Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
    These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
    Such DNS activity can indicate potential delivery or command-and-control communication attempts.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
author: Ahmed Nosir (@egycondor)
date: 2025-06-02
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains:
            - 'msapp.workers.dev'
            - 'trycloudflare.com'
            - 'infinityfreeapp.com'
            - 'my5353.com'
            - 'reurl.cc'
            - 'lihi.cc'
            - 'tinyurl.com'
    condition: selection
falsepositives:
    - Legitimate use of these services is possible but rare in enterprise environments
level: medium
medium
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
status test author Florian Roth (Nextron Systems) id 4153a907-2451-4e4f-a578-c52bb6881432
view Sigma YAML 
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
    - https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1048.003
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        query|contains: '==.'
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 1-10 of 10
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin