Home/Sigma rules
Sigma

Sigma detection rules

2 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

2 shown of 2
high
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
status test author Nasreddine Bencherchali (Nextron Systems) id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
view Sigma YAML 
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
      type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1185
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
            - '--user-data-dir'
            - '--headless'
    condition: selection
falsepositives:
    - Unknown
level: high
medium
Browser Started with Remote Debugging
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
status test author pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id b3d34dc5-2efd-4ae3-845f-8ec14921f449
view Sigma YAML 
title: Browser Started with Remote Debugging
id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
related:
    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
      type: derived
status: test
description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
references:
    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://github.com/wunderwuzzi23/firefox-cookiemonster
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-27
modified: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1185
logsource:
    category: process_creation
    product: windows
detection:
    selection_chromium_based:
        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
        CommandLine|contains: ' --remote-debugging-'
    selection_firefox:
        Image|endswith: '\firefox.exe'
        CommandLine|contains: ' -start-debugger-server'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin