Home/Sigma rules
Sigma

Sigma detection rules

9 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

9 shown of 9
medium
Periodic Backup For System Registry Hives Enabled
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
status test author Nasreddine Bencherchali (Nextron Systems) id 973ef012-8f1a-4c40-93b4-7e659a5cd17f
view Sigma YAML 
title: Periodic Backup For System Registry Hives Enabled
id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
status: test
description: |
    Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
    Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-01
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Legitimate need for RegBack feature by administrators.
level: medium
medium
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
status test author Beyu Denis, oscd.community id 2158f96f-43c2-43cb-952a-ab4580f32382
view Sigma YAML 
title: Screen Capture Activity Via Psr.EXE
id: 2158f96f-43c2-43cb-952a-ab4580f32382
status: test
description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Psr/
    - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Beyu Denis, oscd.community
date: 2019-10-12
modified: 2024-01-04
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Psr.exe'
        CommandLine|contains:
            - '/start'
            - '-start'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
status test author Sajid Nawaz Khan id 5dfc1465-8f65-4fde-8eb5-6194380c6a62
view Sigma YAML 
title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
related:
    - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
      type: similar
    - id: 817f252c-5143-4dae-b418-48c3e9f63728
      type: similar
status: test
description: |
    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        EventType: DeleteValue
        TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
    condition: selection
falsepositives:
    - Legitimate use/activation of Windows Recall
level: medium
medium
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
status test author Sajid Nawaz Khan id 75180c5f-4ea1-461a-a4f6-6e4700c065d4
view Sigma YAML 
title: Windows Recall Feature Enabled - Registry
id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
related:
    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
      type: similar
    - id: 817f252c-5143-4dae-b418-48c3e9f63728
      type: similar
status: test
description: |
    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate use/activation of Windows Recall
level: medium
medium
Windows Recall Feature Enabled Via Reg.EXE
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
status test author Sajid Nawaz Khan id 817f252c-5143-4dae-b418-48c3e9f63728
view Sigma YAML 
title: Windows Recall Feature Enabled Via Reg.EXE
id: 817f252c-5143-4dae-b418-48c3e9f63728
related:
    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
      type: similar
    - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
      type: similar
status: test
description: |
    Detects the enabling of the Windows Recall feature via registry manipulation.
    Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_value:
        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
        CommandLine|contains|all:
            - 'Microsoft\Windows\WindowsAI'
            - 'DisableAIDataAnalysis'
    selection_action_add:
        CommandLine|contains:
            - 'add'
            - '0'
    selection_action_delete:
        CommandLine|contains: 'delete'
    condition: selection_img and selection_value and 1 of selection_action_*
falsepositives:
    - Legitimate use/activation of Windows Recall
level: medium
medium
Windows Screen Capture with CopyFromScreen
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
status test author frack113 id d4a11f63-2390-411c-9adf-d791fd152830
view Sigma YAML 
title: Windows Screen Capture with CopyFromScreen
id: d4a11f63-2390-411c-9adf-d791fd152830
status: test
description: |
    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
author: frack113
date: 2021-12-28
modified: 2022-07-07
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: '.CopyFromScreen'
    condition: selection
falsepositives:
    - Unknown
level: medium
low
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
status test author remotephone, oscd.community id 0877ed01-da46-4c49-8476-d49cdd80dfa7
view Sigma YAML 
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image: '/usr/sbin/screencapture'
    condition: selection
falsepositives:
    - Legitimate user activity taking screenshots
level: low
low
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
status test author Pawel Mazur id dbe4b9c5-c254-4258-9688-d6af0b7967fd
view Sigma YAML 
title: Screen Capture with Import Tool
id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
status: test
description: |
  Detects adversary creating screen capture of a desktop with Import Tool.
  Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
  ImageMagick must be installed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
    - https://linux.die.net/man/1/import
    - https://imagemagick.org/
author: 'Pawel Mazur'
date: 2021-09-21
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: linux
    service: auditd
detection:
    import:
        type: EXECVE
        a0: import
    import_window_root:
        a1: '-window'
        a2: 'root'
        a3|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    import_no_window_root:
        a1|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    condition: import and (import_window_root or import_no_window_root)
falsepositives:
    - Legitimate use of screenshot utility
level: low
low
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
status test author Pawel Mazur id e2f17c5d-b02a-442b-9052-6eb89c9fec9c
view Sigma YAML 
title: Screen Capture with Xwd
id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
status: test
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
    - https://linux.die.net/man/1/xwd
author: 'Pawel Mazur'
date: 2021-09-13
modified: 2022-12-18
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xwd
    xwd_root_window:
        a1: '-root'
        a2: '-out'
        a3|endswith: '.xwd'
    xwd_no_root_window:
        a1: '-out'
        a2|endswith: '.xwd'
    condition: selection and 1 of xwd_*
falsepositives:
    - Legitimate use of screenshot utility
level: low
Showing 1-9 of 9
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin