Home/Sigma rules
Sigma

Sigma detection rules

6 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

6 shown of 6
high
OpenCanary - SIP Request
Detects instances where an SIP service on an OpenCanary node has had a SIP request.
status test author Security Onion Solutions id e30de276-68ec-435c-ab99-ef3befec6c61
view Sigma YAML 
title: OpenCanary - SIP Request
id: e30de276-68ec-435c-ab99-ef3befec6c61
status: test
description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 15001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Suspicious Camera and Microphone Access
Detects Processes accessing the camera and microphone from suspicious folder
status test author Den Iuzvyk id 62120148-6b7a-42be-8b91-271c04e281a3
view Sigma YAML 
title: Suspicious Camera and Microphone Access
id: 62120148-6b7a-42be-8b91-271c04e281a3
status: test
description: Detects Processes accessing the camera and microphone from suspicious folder
references:
    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Den Iuzvyk
date: 2020-06-07
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1125
    - attack.t1123
logsource:
    category: registry_event
    product: windows
detection:
    selection_1:
        TargetObject|contains|all:
            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
            - '\NonPackaged'
    selection_2:
        TargetObject|contains:
            - microphone
            - webcam
    selection_3:
        TargetObject|contains:
            - ':#Windows#Temp#'
            - ':#$Recycle.bin#'
            - ':#Temp#'
            - ':#Users#Public#'
            - ':#Users#Default#'
            - ':#Users#Desktop#'
    condition: all of selection_*
falsepositives:
    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
level: high
medium
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) id 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
view Sigma YAML 
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
status: test
description: Detects audio capture via PowerShell Cmdlet.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
    - https://github.com/frgnca/AudioDeviceCmdlets
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-04-06
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'WindowsAudioDevice-Powershell-Cmdlet'
            - 'Toggle-AudioDevice'
            - 'Get-AudioDevice '
            - 'Set-AudioDevice '
            - 'Write-AudioDevice '
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium
medium
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id 83865853-59aa-449e-9600-74b9d89a6d6e
view Sigma YAML 
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
status: test
description: Detect attacker collecting audio via SoundRecorder application.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SoundRecorder.exe'
        CommandLine|contains: '/FILE'
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium
medium
Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 8cd538a4-62d5-4e83-810b-12d41e428d6e
view Sigma YAML 
title: Processes Accessing the Microphone and Webcam
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
status: test
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
    - https://twitter.com/duzvik/status/1269671601852813320
    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-07
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1123
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4657
            - 4656
            - 4663
        ObjectName|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
    condition: selection
falsepositives:
    - Unknown
level: medium
low
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
status test author Pawel Mazur, Milad Cheraghi id a7af2487-9c2f-42e4-9bb9-ff961f0561d5
view Sigma YAML 
title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
status: test
description: Detects attempts to record audio using the arecord and ecasound utilities.
references:
    - https://linux.die.net/man/1/arecord
    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
    - https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
    - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
author: Pawel Mazur, Milad Cheraghi
date: 2021-09-04
modified: 2025-12-05
tags:
    - attack.collection
    - attack.t1123
logsource:
    product: linux
    service: auditd
detection:
    selection_execve:
        type: EXECVE
        a0: arecord
        a1: '-vv'
        a2: '-fdat'
    selection_syscall_memfd_create:
        type: SYSCALL
        exe|endswith: "/ecasound"
        SYSCALL: 'memfd_create'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low
Showing 1-6 of 6
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin