Home/Sigma rules
Sigma

Sigma detection rules

46 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

46 shown of 46
high
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
status test author Florian Roth (Nextron Systems), Matt Kelly (list of domains) id aff715fa-4dd5-497a-8db3-910bea555566
view Sigma YAML 
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
    Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
    - https://twitter.com/breakersall/status/1533493587828260866
    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.reconnaissance
    - attack.t1595.002
logsource:
    category: dns
detection:
    selection:
        query|endswith:
            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
            - '.canarytokens.com' # Thinkst Canary Canarytokens
            - '.ceye.io'
            - '.ddns.1443.eu.org' # dig.pm
            - '.ddns.bypass.eu.org' # dig.pm
            - '.ddns.xn--gg8h.eu.org' # dig.pm
            - '.digimg.store' # dnslog.ink
            - '.dns.su18.org' # javaweb.org
            - '.dnshook.site' # webhook.site
            - '.dnslog.cn'
            - '.dnslog.ink' # dnslog.ink
            - '.instances.httpworkbench.com' # httpworkbench.com
            - '.interact.sh' # Project Discovery Interactsh
            - '.log.dnslog.pp.ua' # dnslog.org
            - '.log.dnslog.qzz.io' # dnslog.org
            - '.log.dnslogs.dpdns.org' # dnslog.org
            - '.log.javaweb.org' # javaweb.org
            - '.log.nat.cloudns.ph' # dnslog.org
            - '.oast.fun' # Project Discovery Interactsh
            - '.oast.live' # Project Discovery Interactsh
            - '.oast.me' # Project Discovery Interactsh
            - '.oast.online' # Project Discovery Interactsh
            - '.oast.pro' # Project Discovery Interactsh
            - '.oast.site' # Project Discovery Interactsh
            - '.oastify.com' # Portswigger Burpsuite Collaborator
            - '.p8.lol' # javaweb.org
            - '.requestbin.net'
    filter_main_polling:
        query|contains: 'polling.oastify.com'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate security scanning.
level: high
high
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
status test author Florian Roth (Nextron Systems) id c42a3073-30fb-48ae-8c99-c23ada84b103
view Sigma YAML 
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
    - attack.initial-access
    - attack.t1190
    - attack.credential-access
    - attack.t1110
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains:
            # Vulnerability scanner and brute force tools
            - '(hydra)'
            - ' arachni/'
            - ' BFAC '
            - ' brutus '
            - ' cgichk '
            - 'core-project/1.0'
            - ' crimscanner/'
            - 'datacha0s'
            - 'dirbuster'
            - 'domino hunter'
            - 'dotdotpwn'
            - 'FHScan Core'
            - 'floodgate'
            - 'get-minimal'
            - 'gootkit auto-rooter scanner'
            - 'grendel-scan'
            - ' inspath '
            - 'internet ninja'
            - 'jaascois'
            - ' zmeu '
            - 'masscan'
            - ' metis '
            - 'morfeus fucking scanner'
            - 'n-stealth'
            - 'nsauditor'
            - 'pmafind'
            - 'security scan'
            - 'springenwerk'
            - 'teh forest lobster'
            - 'toata dragostea'
            - ' vega/'
            - 'voideye'
            - 'webshag'
            - 'webvulnscan'
            - ' whcc/'
            # SQL Injection
            - ' Havij'
            - 'absinthe'
            - 'bsqlbf'
            - 'mysqloit'
            - 'pangolin'
            - 'sql power injector'
            - 'sqlmap'
            - 'sqlninja'
            - 'uil2pn'
            # Hack tool
            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
falsepositives:
    - Unknown
level: high
high
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
status test author Florian Roth (Nextron Systems) id 412d55bc-7737-4d25-9542-5b396867ce55
view Sigma YAML 
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
    - https://github.com/pimps/JNDI-Exploit-Kit
    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '/Basic/Command/Base64/'
        - '/Basic/ReverseShell/'
        - '/Basic/TomcatMemshell'
        - '/Basic/JettyMemshell'
        - '/Basic/WeblogicMemshell'
        - '/Basic/JBossMemshell'
        - '/Basic/WebsphereMemshell'
        - '/Basic/SpringMemshell'
        - '/Deserialization/URLDNS/'
        - '/Deserialization/CommonsCollections1/Dnslog/'
        - '/Deserialization/CommonsCollections2/Command/Base64/'
        - '/Deserialization/CommonsBeanutils1/ReverseShell/'
        - '/Deserialization/Jre8u20/TomcatMemshell'
        - '/TomcatBypass/Dnslog/'
        - '/TomcatBypass/Command/'
        - '/TomcatBypass/ReverseShell/'
        - '/TomcatBypass/TomcatMemshell'
        - '/TomcatBypass/SpringMemshell'
        - '/GroovyBypass/Command/'
        - '/WebsphereBypass/Upload/'
    condition: keywords
falsepositives:
    - Legitimate apps the use these paths
level: high
high
Java Payload Strings
Detects possible Java payloads in web access logs
status test author frack113, Harjot Singh, "@cyb3rjy0t" (update) id 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
view Sigma YAML 
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
    - cve.2022-26134
    - cve.2021-26084
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '%24%7B%28%23a%3D%40'
        - '${(#a=@'
        - '%24%7B%40java'
        - '${@java'
        - 'u0022java'
        - '%2F%24%7B%23'
        - '/${#'
        - 'new+java.'
        - 'getRuntime().exec('
        - 'getRuntime%28%29.exec%28'
    condition: keywords
falsepositives:
    - Legitimate apps
level: high
high
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
view Sigma YAML 
title: OMIGOD SCX RunAsProvider ExecuteScript
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: test
description: |
    Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
    Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
    Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
    The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
    Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
    - https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.execution
    - attack.t1068
    - attack.t1190
    - attack.t1203
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        User: root
        LogonId: 0
        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
        CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
    condition: selection
falsepositives:
    - Legitimate use of SCX RunAsProvider ExecuteScript.
level: high
high
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 21541900-27a9-4454-9c4c-3f0a4240344a
view Sigma YAML 
title: OMIGOD SCX RunAsProvider ExecuteShellCommand
id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: test
description: |
    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
    SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
    Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
    - https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.execution
    - attack.t1068
    - attack.t1190
    - attack.t1203
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        User: root
        LogonId: 0
        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
        CommandLine|contains: '/bin/sh'
    condition: selection
falsepositives:
    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
high
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
view Sigma YAML 
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.exfiltration
    - attack.lateral-movement
    - attack.t1190
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 2000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - HTTP GET Request
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
status test author Security Onion Solutions id af6c3078-84cd-4c68-8842-08b76bd81b13
view Sigma YAML 
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 3000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
status test author Security Onion Solutions id af1ac430-df6b-4b38-b976-0b52f07a0252
view Sigma YAML 
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
    Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 3001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
status test author Moti Harmats id bb0e9cec-d4da-46f5-997f-22efc59f3dca
view Sigma YAML 
title: Potential JNDI Injection Exploitation In JVM Based Application
id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
status: test
description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
    - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'com.sun.jndi.ldap.'
        - 'org.apache.logging.log4j.core.net.JndiManager'
    condition: keywords
falsepositives:
    - Application bugs
level: high
high
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
status test author Moti Harmats id e032f5bc-4563-4096-ae3b-064bab588685
view Sigma YAML 
title: Potential Local File Read Vulnerability In JVM Based Application
id: e032f5bc-4563-4096-ae3b-064bab588685
status: test
description: |
    Detects potential local file read vulnerability in JVM based apps.
    If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords_local_file_read:
        '|all':
            - 'FileNotFoundException'
            - '/../../..'
    condition: keywords_local_file_read
falsepositives:
    - Application bugs
level: high
high
Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
status test author Moti Harmats id 4d0af518-828e-4a04-a751-a7d03f3046ad
view Sigma YAML 
title: Potential OGNL Injection Exploitation In JVM Based Application
id: 4d0af518-828e-4a04-a751-a7d03f3046ad
status: test
description: |
    Detects potential OGNL Injection exploitation, which may lead to RCE.
    OGNL is an expression language that is supported in many JVM based systems.
    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2017-5638
    - cve.2022-26134
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'org.apache.commons.ognl.OgnlException'
        - 'ExpressionSyntaxException'
    condition: keywords
falsepositives:
    - Application bugs
level: high
high
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
status test author Moti Harmats id 97661d9d-2beb-4630-b423-68985291a8af
view Sigma YAML 
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: nodejs
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'node:child_process'
    condition: keywords
falsepositives:
    - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
high
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
status test author Moti Harmats id 16c86189-b556-4ee8-b4c7-7e350a195a4f
view Sigma YAML 
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
    - https://antgarsil.github.io/posts/velocity/
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: velocity
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'ParseErrorException'
        - 'VelocityException'
        - 'TemplateInitException'
    condition: keywords
falsepositives:
    - Application bugs
    - Missing .vm files
level: high
high
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
status test author Moti Harmats id e9edd087-89d8-48c9-b0b4-5b9bb10896b8
view Sigma YAML 
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
    - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: spring
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'org.springframework.expression.ExpressionException'
    condition: keywords
falsepositives:
    - Application bugs
level: high
high
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
status test author Moti Harmats id c4e06896-e27c-4583-95ac-91ce2279345d
view Sigma YAML 
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
    - https://rules.sonarsource.com/java/RSPEC-2755
    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'SAXParseException'
        - 'DOMException'
    condition: keywords
falsepositives:
    - If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
high
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
status test author Moti Harmats id d65f37da-a26a-48f8-8159-3dde96680ad2
view Sigma YAML 
title: Process Execution Error In JVM Based Application
id: d65f37da-a26a-48f8-8159-3dde96680ad2
status: test
description: Detects process execution related exceptions in JVM based apps, often relates to RCE
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'Cannot run program'
        - 'java.lang.ProcessImpl'
        - 'java.lang.ProcessBuilder'
    condition: keywords
falsepositives:
    - Application bugs
level: high
high
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
status test author Jason Rathbun (Blackpoint Cyber) id b19146a3-25d4-41b4-928b-1e2a92641b1b
view Sigma YAML 
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
    - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\csc.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
status test author Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) id 5513deaf-f49a-46c2-a6c8-3f111b5cb453
view Sigma YAML 
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
    - https://brightsec.com/blog/sql-injection-payloads/
    - https://github.com/payloadbox/sql-injection-payload-list
    - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
    keywords:
        - '@@version'
        - '%271%27%3D%271'
        - '=select '
        - '=select('
        - '=select%20'
        - 'concat_ws('
        - 'CONCAT(0x'
        - 'from mysql.innodb_table_stats'
        - 'from%20mysql.innodb_table_stats'
        - 'group_concat('
        - 'information_schema.tables'
        - 'json_arrayagg('
        - 'or 1=1#'
        - 'or%201=1#'
        - 'order by '
        - 'order%20by%20'
        - 'select * '
        - 'select database()'
        - 'select version()'
        - 'select%20*%20'
        - 'select%20database()'
        - 'select%20version()'
        - 'select%28sleep%2810%29'
        - 'SELECTCHAR('
        - 'table_schema'
        - 'UNION ALL SELECT'
        - 'UNION SELECT'
        - 'UNION%20ALL%20SELECT'
        - 'UNION%20SELECT'
        - "'1'='1"
    filter_main_status:
        sc-status: 404
    condition: selection and keywords and not 1 of filter_main_*
falsepositives:
    - Java scripts and CSS Files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
high
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
status test author FPT.EagleEye Team, wagga id 869b9ca7-9ea2-4a5a-8325-e80e62f75445
view Sigma YAML 
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
    - id: 344482e4-a477-436c-aa70-7536d18a48c7
      type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
    - Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
    - attack.t1505.003
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
            # You can add other uncommon or suspicious processes
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\wsl.exe'
    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection and not 1 of filter_optional_*
level: high
high
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 1f0489be-b496-4ddf-b3a9-5900f2044e9c
view Sigma YAML 
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\w3wp.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
        TargetFilename|contains:
            - '\15\TEMPLATE\LAYOUTS\'
            - '\16\TEMPLATE\LAYOUTS\'
        TargetFilename|endswith:
            - '.asax'
            - '.ascx'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cmd'
            - '.cer'
            - '.config'
            - '.hta'
            - '.js'
            - '.jsp'
            - '.jspx'
            - '.php'
            - '.ps1'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
status test author Florian Roth (Nextron Systems) id 7280c9f3-a5af-45d0-916a-bc01cb4151c9
view Sigma YAML 
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\MSExchangeMailboxReplication.exe'
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
status test author Florian Roth (Nextron Systems) id c8e35e96-19ce-4f16-aeb6-fd5588dc5365
view Sigma YAML 
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
author: Florian Roth (Nextron Systems)
date: 2018-02-20
modified: 2022-10-05
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: linux
    service: syslog
detection:
    keywords:
        - ' dropping source port zero packet from '
        - ' denied AXFR from '
        - ' exiting (due to fatal error)'
    condition: keywords
falsepositives:
    - Unknown
level: high
high
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
status test author Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id 8202070f-edeb-4d31-a010-a26c72ac5600
view Sigma YAML 
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1505.003
    - attack.t1190
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\php.exe'
            - '\tomcat.exe'
            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
            - '\w3wp.exe'
            - '\ws_TomcatService.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.home'
            - 'catalina.jar'
    selection_anomaly_children:
        Image|endswith:
            - '\arp.exe'
            - '\at.exe'
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dsget.exe'
            - '\hostname.exe'
            - '\nbtstat.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netdom.exe'
            - '\netsh.exe'
            - '\nltest.exe'
            - '\ntdsutil.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\qprocess.exe'
            - '\query.exe'
            - '\qwinsta.exe'
            - '\reg.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wusa.exe'
    filter_main_fp_1:
        ParentImage|endswith: '\java.exe'
        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
    filter_main_fp_2:
        ParentImage|endswith: '\java.exe'
        CommandLine|contains|all:
            - 'sc query'
            - 'ADManager Plus'
    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
    - Particular web applications may spawn a shell process legitimately
level: high
high
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
status test author Andreas Hunkeler (@Karneades), Markus Neis id 5cc2cda8-f261-4d88-a2de-e9e193c86716
view Sigma YAML 
title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
    - Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wsmprovhost.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wsl.exe'
            - '\schtasks.exe'
            - '\certutil.exe'
            - '\whoami.exe'
            - '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Legitimate WinRM usage
level: high
high
Suspicious SQL Error Messages
Detects SQL error messages that indicate probing for an injection attack
status test author Bjoern Kimminich id 8a670c6d-7189-4b1c-8017-a417ca84a086
view Sigma YAML 
title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: test
description: Detects SQL error messages that indicate probing for an injection attack
references:
    - http://www.sqlinjection.net/errors
author: Bjoern Kimminich
date: 2017-11-27
modified: 2023-02-12
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: sql
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'
detection:
    keywords:
        # Oracle
        - quoted string not properly terminated
        # MySQL
        - You have an error in your SQL syntax
        # SQL Server
        - Unclosed quotation mark
        # SQLite
        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
falsepositives:
    - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
level: high
high
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
status test author Florian Roth (Nextron Systems) id 1012f107-b8f1-4271-af30-5aed2de89b39
view Sigma YAML 
title: Terminal Service Process Spawn
id: 1012f107-b8f1-4271-af30-5aed2de89b39
status: test
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth (Nextron Systems)
date: 2019-05-22
modified: 2023-01-25
tags:
    - attack.initial-access
    - attack.t1190
    - attack.lateral-movement
    - attack.t1210
    - car.2013-07-002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - '\svchost.exe'
            - 'termsvcs'
    filter_img:
        Image|endswith:
            - '\rdpclip.exe'
            - ':\Windows\System32\csrss.exe'
            - ':\Windows\System32\wininit.exe'
            - ':\Windows\System32\winlogon.exe'
    filter_null:
        Image: null
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
medium
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
status test author Florian Roth (Nextron Systems) id e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
view Sigma YAML 
title: Apache Threading Error
id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
status: test
description: Detects an issue in apache logs that reports threading related errors
references:
    - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
author: Florian Roth (Nextron Systems)
date: 2019-01-22
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.t1190
    - attack.t1210
logsource:
    service: apache
    definition: 'Requirements: Must be able to collect the error.log file'
detection:
    keywords:
        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
    condition: keywords
falsepositives:
    - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
medium
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
status stable author Thomas Patzke id fd435618-981e-4a7c-81f8-f78ce480d616
view Sigma YAML 
title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
status: stable
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
author: Thomas Patzke
date: 2017-08-05
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: django
detection:
    keywords:
        - SuspiciousOperation
        # Subclasses of SuspiciousOperation
        - DisallowedHost
        - DisallowedModelAdminLookup
        - DisallowedModelAdminToField
        - DisallowedRedirect
        - InvalidSessionKey
        - RequestDataTooBig
        - SuspiciousFileOperation
        - SuspiciousMultipartForm
        - SuspiciousSession
        - TooManyFieldsSent
        # Further security-related exceptions
        - PermissionDenied
    condition: keywords
falsepositives:
    - Application bugs
level: medium
medium
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
status test author Nasreddine Bencherchali (Nextron Systems), Thurein Oo id b59c98c6-95e8-4d65-93ee-f594dfb96b17
view Sigma YAML 
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
    - id: 85254a62-22be-4239-b79c-2ec17e566c37
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'POST'
        c-uri|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
medium
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
status test author Nasreddine Bencherchali (Nextron Systems), Thurein Oo id 85254a62-22be-4239-b79c-2ec17e566c37
view Sigma YAML 
title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
    - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.execution
    - attack.t1190
    - attack.initial-access
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
medium
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
status test author NVISO id f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
view Sigma YAML 
title: Failed Logon From Public IP
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
status: test
description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
author: NVISO
date: 2020-05-06
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1190
    - attack.t1133
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
    filter_main_ip_unknown:
        IpAddress|contains: '-'
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate logon attempts over the internet
    - IPv4-to-IPv6 mapped IPs
level: medium
medium
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
status test author jamesc-grafana id 6fb77778-040f-4015-9440-572aa9b6b580
view Sigma YAML 
title: Ingress/Egress Security Group Modification
id: 6fb77778-040f-4015-9440-572aa9b6b580
status: test
description: |
    Detects when an account makes changes to the ingress or egress rules of a security group.
    This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName:
            - 'AuthorizeSecurityGroupEgress'
            - 'AuthorizeSecurityGroupIngress'
            - 'RevokeSecurityGroupEgress'
            - 'RevokeSecurityGroupIngress'
    condition: selection
falsepositives:
    - New VPCs and Subnets being setup requiring a different security profile to those already defined
    - A single port being opened for a new service that is known to be deploying
    - Administrators closing unused ports to reduce the attack surface
level: medium
medium
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
status test author jamesc-grafana id 7a4409fc-f8ca-45f6-8006-127d779eaad9
view Sigma YAML 
title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'elasticloadbalancing.amazonaws.com'
        eventName:
            - 'ApplySecurityGroupsToLoadBalancer'
            - 'SetSecurityGroups'
    condition: selection
falsepositives:
    - Repurposing of an ELB or ALB to serve a different or additional application
    - Changes to security groups to allow for new services to be deployed
level: medium
medium
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
status test author Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems) id 7745c2ea-24a5-4290-b680-04359cb84b35
view Sigma YAML 
title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
status: test
description: Detects path traversal exploitation attempts
references:
    - https://github.com/projectdiscovery/nuclei-templates
    - https://book.hacktricks.xyz/pentesting-web/file-inclusion
author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-25
modified: 2023-08-31
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '../../../../../lib/password'
            - '../../../../windows/'
            - '../../../etc/'
            - '..%252f..%252f..%252fetc%252f'
            - '..%c0%af..%c0%af..%c0%afetc%c0%af'
            - '%252e%252e%252fetc%252f'
    condition: selection
falsepositives:
    - Expected to be continuously seen on systems exposed to the Internet
    - Internal vulnerability scanners
level: medium
medium
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
status stable author Thomas Patzke id 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
view Sigma YAML 
title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
status: stable
description: Generic rule for SQL exceptions in Python according to PEP 249
references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
author: Thomas Patzke
date: 2017-08-12
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: python
detection:
    keywords:
        - DataError
        - IntegrityError
        - ProgrammingError
        - OperationalError
    condition: keywords
falsepositives:
    - Application bugs
level: medium
medium
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
status test author jamesc-grafana id 14f3f1c8-02d5-43a2-a191-91ffb52d3015
view Sigma YAML 
title: RDS Database Security Group Modification
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
status: test
description: |
    Detects changes to the security group entries for RDS databases.
    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'rds.amazonaws.com'
        eventName:
            - 'AuthorizeDBSecurityGroupIngress'
            - 'CreateDBSecurityGroup'
            - 'DeleteDBSecurityGroup'
            - 'RevokeDBSecurityGroupIngress'
    condition: selection
falsepositives:
    - Creation of a new Database that needs new security group rules
level: medium
medium
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
status stable author Thomas Patzke id 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
view Sigma YAML 
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
    - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: ruby_on_rails
detection:
    keywords:
        - ActionController::InvalidAuthenticityToken
        - ActionController::InvalidCrossOriginRequest
        - ActionController::MethodNotAllowed
        - ActionController::BadRequest
        - ActionController::ParameterMissing
    condition: keywords
falsepositives:
    - Application bugs
level: medium
medium
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
status stable author Thomas Patzke id ae48ab93-45f7-4051-9dfe-5d30a3f78e33
view Sigma YAML 
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
status: stable
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
references:
    - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: spring
detection:
    keywords:
        - AccessDeniedException
        - CsrfException
        - InvalidCsrfTokenException
        - MissingCsrfTokenException
        - CookieTheftException
        - InvalidCookieException
        - RequestRejectedException
    condition: keywords
falsepositives:
    - Application bugs
level: medium
medium
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
status test author frack113 id 7cb02516-6d95-4ffc-8eee-162075e111ac
view Sigma YAML 
title: Successful IIS Shortname Fuzzing Scan
id: 7cb02516-6d95-4ffc-8eee-162075e111ac
status: test
description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
references:
    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
    - https://www.exploit-db.com/exploits/19525
    - https://github.com/lijiejie/IIS_shortname_Scanner
author: frack113
date: 2021-10-06
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '~1'
        cs-uri-query|endswith: 'a.aspx'
        cs-method:
            - GET
            - OPTIONS
        # Success only
        sc-status:
            - 200
            - 301
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
status test author Florian Roth (Nextron Systems) id 6b269392-9eba-40b5-acb6-55c882b20ba6
view Sigma YAML 
title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
    - attack.persistence
    - attack.t1190
    - attack.initial-access
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
            - '.ps1'
            - '.bat'
            - '.exe'
            - '.dll'
            - '.vbs'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
medium
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 89c42960-f244-4dad-9151-ae9b1a3287a2
view Sigma YAML 
title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: file_event
detection:
    # Add more suspicious processes or paths or extensions as needed
    selection_susp_img:
        Image|endswith:
            - '\dotnet.exe'
            - '\w3wp.exe'
            - '\java.exe'
    selection_servers:
        TargetFilename|contains:
            - '\apache'
            - '\tomcat'
    selection_path:
        TargetFilename|contains: '\webapps\ROOT\'
    selection_susp_extensions:
        TargetFilename|endswith: '.jsp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
status test author Florian Roth (Nextron Systems) id e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
view Sigma YAML 
title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
    - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-06-30
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: linux
    service: sshd
detection:
    keywords:
        - 'unexpected internal error'
        - 'unknown or unsupported key type'
        - 'invalid certificate signing key'
        - 'invalid elliptic curve value'
        - 'incorrect signature'
        - 'error in libcrypto'
        - 'unexpected bytes remain after decoding'
        - 'fatal: buffer_get_string: bad string'
        - 'Local: crc32 compensation attack'
        - 'bad client public DH value'
        - 'Corrupted MAC on input'
    condition: keywords
falsepositives:
    - Unknown
level: medium
medium
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
status test author @juju4 id d84c0ded-edd7-4123-80ed-348bb3ccc4d5
view Sigma YAML 
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
    - https://github.com/sqlmapproject/sqlmap
tags:
    - attack.exfiltration
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1190
    - attack.t1505.001
logsource:
    category: database
    definition: 'Requirements: Must be able to log the SQL queries'
detection:
    keywords:
        - 'drop'
        - 'truncate'
        - 'dump'
        - 'select \*'
    condition: keywords
falsepositives:
    - Inventory and monitoring activity
    - Vulnerability scanners
    - Legitimate applications
level: medium
medium
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
status test author Nasreddine Bencherchali (Nextron Systems), Tim Shelton id 19aa4f58-94ca-45ff-bc34-92e533c0994a
view Sigma YAML 
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
    - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
    - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
    - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-user-agent|contains:
            # Add more tools as you see fit
            - 'Wfuzz/'
            - 'WPScan v'
            - 'Recon-ng/v'
            - 'GIS - AppSec Team - Project Vision'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
status test author Florian Roth (Nextron Systems) id 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
view Sigma YAML 
title: Suspicious VSFTPD Error Messages
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
status: test
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
    - https://github.com/dagwieers/vsftpd/
author: Florian Roth (Nextron Systems)
date: 2017-07-05
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: linux
    service: vsftpd
detection:
    keywords:
        - 'Connection refused: too many sessions for this address.'
        - 'Connection refused: tcp_wrappers denial.'
        - 'Bad HTTP verb.'
        - 'port and pasv both active'
        - 'pasv and port both active'
        - 'Transfer done (but failed to open directory).'
        - 'Could not set file modification time.'
        - 'bug: pid active in ptrace_sandbox_free'
        - 'PTRACE_SETOPTIONS failure'
        - 'weird status:'
        - 'couldn''t handle sandbox event'
        - 'syscall * out of bounds'
        - 'syscall not permitted:'
        - 'syscall validate failed:'
        - 'Input line too long.'
        - 'poor buffer accounting in str_netfd_alloc'
        - 'vsf_sysutil_read_loop'
    condition: keywords
falsepositives:
    - Unknown
level: medium
Showing 1-46 of 46
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin