Home/Sigma rules
Sigma

Sigma detection rules

19 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

19 shown of 19
high
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
status test author Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) id 78d5cab4-557e-454f-9fb9-a222bd0d5edc
view Sigma YAML 
title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
    - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
      type: derived
status: test
description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
references:
    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1133
    - attack.t1078
    - attack.t1110
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate or intentional inbound connections from public IP addresses on the SMB port.
level: high
high
OpenCanary - RDP New Connection Attempt
Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
status experimental author Marco Pedrinazzi (@pedrinazziM) id 598290cf-5932-45cd-9123-be1e05ab4f2e
view Sigma YAML 
title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.t1133
    - attack.t1021.001
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 14001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id ff7139bc-fdb1-4437-92f2-6afefe8884cb
view Sigma YAML 
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4002
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions id cd55f721-5623-4663-bd9b-5229cab5237d
view Sigma YAML 
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id 512cff7a-683a-43ad-afe0-dd398e872f36
view Sigma YAML 
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1133
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 6001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
status test author frack113 id b64a026b-8deb-4c1d-92fd-98893209dff1
view Sigma YAML 
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high
high
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
status experimental author Micah Babinski id e890acee-d488-420e-8f20-d9b19b3c3d43
view Sigma YAML 
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
    server, creates a file with suspicious file type, indicating that it may be an executable, script file,
    or otherwise unusual.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.initial-access
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1105
    - attack.t1133
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ArcSOC.exe'
        TargetFilename|endswith:
            - '.ahk'
            - '.aspx'
            - '.au3'
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.py'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch, Elastic (idea) id a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
view Sigma YAML 
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dns.exe'
    filter:
        Image|endswith: '\conhost.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) id 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
view Sigma YAML 
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
      type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) id 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
view Sigma YAML 
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
      type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_change
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
status test author Florian Roth (Nextron Systems) id ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
view Sigma YAML 
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
      type: similar
    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
      type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
    - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.lateral-movement
    - attack.t1133
    - attack.t1136.001
    - attack.t1021.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        - CommandLine|contains|all:
              - 'localgroup '
              - ' /add'
        - CommandLine|contains|all:
              - 'Add-LocalGroupMember '
              - ' -Group '
    selection_group:
        CommandLine|contains:
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high
medium
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
status test author Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) id 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
view Sigma YAML 
title: External Remote RDP Logon from Public IP
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
related:
    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
      type: derived
status: test
description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
references:
    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1133
    - attack.t1078
    - attack.t1110
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.
level: medium
medium
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
status test author NVISO id f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
view Sigma YAML 
title: Failed Logon From Public IP
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
status: test
description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
author: NVISO
date: 2020-05-06
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1190
    - attack.t1133
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
    filter_main_ip_unknown:
        IpAddress|contains: '-'
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate logon attempts over the internet
    - IPv4-to-IPv6 mapped IPs
level: medium
medium
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 2bfb6216-0c31-4d20-8501-2629b29a3fa2
view Sigma YAML 
title: FortiGate - New VPN SSL Web Portal Added
id: 2bfb6216-0c31-4d20-8501-2629b29a3fa2
status: experimental
description: |
    Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
    This behavior was observed in pair with modification of VPN SSL settings.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'vpn.ssl.web.portal'
    condition: selection
falsepositives:
    - A VPN SSL Web Portal can be added for legitimate purposes.
level: medium
medium
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 8b5dacf2-aeb7-459d-b133-678eb696d410
view Sigma YAML 
title: FortiGate - VPN SSL Settings Modified
id: 8b5dacf2-aeb7-459d-b133-678eb696d410
status: experimental
description: |
    Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
    This behavior was observed in pair with the addition of a VPN SSL Web Portal.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Edit'
        cfgpath: 'vpn.ssl.settings'
    condition: selection
falsepositives:
    - VPN SSL settings can be changed for legitimate purposes.
level: medium
medium
Remote Access Tool - ScreenConnect Installation Execution
Detects ScreenConnect program starts that establish a remote access to a system.
status test author Florian Roth (Nextron Systems) id 75bfe6e6-cd8e-429e-91d3-03921e1d7962
view Sigma YAML 
title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
    - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'e=Access&'
            - 'y=Guest&'
            - '&p='
            - '&c='
            - '&k='
    condition: selection
falsepositives:
    - Legitimate use by administrative staff
level: medium
low
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
status test author Josh Nickels, Qi Nan id 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
view Sigma YAML 
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low
low
Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
status test author Josh Nickels, Qi Nan id f459ccb4-9805-41ea-b5b2-55e279e2424a
view Sigma YAML 
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low
low
Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
status test author Josh Nickels, Qi Nan id ab70c354-d9ac-4e11-bbb6-ec8e3b153357
view Sigma YAML 
title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: 'TeamViewer_Desktop.exe'
        ParentImage: 'TeamViewer_Service.exe'
        CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low
Showing 1-19 of 19
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin