Home/Sigma rules
Sigma

Sigma detection rules

7 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

7 shown of 7
high
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
status test author Sohan G (D4rkCiph3r) id 7794fa3c-edea-4cff-bec7-267dd4770fd7
view Sigma YAML 
title: Clipboard Data Collection Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects possible collection of data from the clipboard via execution of the osascript binary
references:
    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
    - attack.collection
    - attack.execution
    - attack.t1115
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'clipboard'
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 4cbd4f12-2e22-43e3-882f-bff3247ffb78
view Sigma YAML 
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: test
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-01-04
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains: 'Get-Clipboard'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
status test author Nasreddine Bencherchali (Nextron Systems) id b9aeac14-2ffd-4ad3-b967-1354a4e628c3
view Sigma YAML 
title: PowerShell Get-Clipboard Cmdlet Via CLI
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
related:
    - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
      type: derived
status: test
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-02
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'Get-Clipboard'
    condition: selection
falsepositives:
    - Unknown
level: medium
low
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
status test author Pawel Mazur id f200dc3f-b219-425d-a17e-c38467364816
view Sigma YAML 
title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
status: test
description: |
  Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
  Xclip has to be installed.
  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://linux.die.net/man/1/xclip
author: 'Pawel Mazur'
date: 2021-10-01
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xclip
        a1:
            - '-selection'
            - '-sel'
        a2:
            - clipboard
            - clip
        a3: '-t'
        a4|startswith: 'image/'
        a5: '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools
level: low
low
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
status test author Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id ec127035-a636-4b9a-8555-0efd4e59f316
view Sigma YAML 
title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
    Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|contains: 'xclip'
        CommandLine|contains|all:
            - '-sel'
            - 'clip'
            - '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools.
level: low
low
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
status test author Pawel Mazur id 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
view Sigma YAML 
title: Clipboard Collection with Xclip Tool - Auditd
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
status: test
description: |
  Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
  Xclip has to be installed.
  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://linux.die.net/man/1/xclip
    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
author: 'Pawel Mazur'
date: 2021-09-24
modified: 2022-11-26
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xclip
        a1:
            - '-selection'
            - '-sel'
        a2:
            - clipboard
            - clip
        a3: '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools
level: low
low
Data Copied To Clipboard Via Clip.EXE
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
status test author frack113 id ddeff553-5233-4ae9-bbab-d64d2bd634be
view Sigma YAML 
title: Data Copied To Clipboard Via Clip.EXE
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
status: test
description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
author: frack113
date: 2021-07-27
modified: 2023-02-21
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\clip.exe'
        - OriginalFileName: clip.exe
    condition: selection
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
simulation:
    - type: atomic-red-team
      name: Utilize Clipboard to store or execute commands from
      technique: T1115
      atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin