Home/Sigma rules
Sigma

Sigma detection rules

4 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

4 shown of 4
critical
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
status test author Florian Roth (Nextron Systems), Zach Mathis id 48d91a3a-2363-43ba-a456-ca71ac3da5c2
view Sigma YAML 
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: |
    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
    Unfortunately, that is about the only instance of CVEs being written to this log.
references:
    - https://twitter.com/VM_vivisector/status/1217190929330655232
    - https://twitter.com/DidierStevens/status/1217533958096924676
    - https://twitter.com/FlemmingRiis/status/1217147415482060800
    - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
    - https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020-01-15
modified: 2022-10-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1203
    - attack.privilege-escalation
    - attack.t1068
    - attack.t1211
    - attack.credential-access
    - attack.t1212
    - attack.lateral-movement
    - attack.t1210
    - attack.impact
    - attack.t1499.004
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name:
            - 'Microsoft-Windows-Audit-CVE'
            - 'Audit-CVE'
        EventID: 1
    condition: selection
falsepositives:
    - Unknown
level: critical
high
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
status test author Florian Roth (Nextron Systems) id 545a5da6-f103-4919-a519-e9aec1026ee4
view Sigma YAML 
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
    - id: 6c82cf5c-090d-4d57-9188-533577631108
      type: similar
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1211
    - attack.t1685
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
high
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
status test author Florian Roth (Nextron Systems) id 6c82cf5c-090d-4d57-9188-533577631108
view Sigma YAML 
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1211
    - attack.t1685
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'Windows Error Reporting'
        EventID: 1001
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
medium
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
status test author Sreeman id ae9b0bd7-8888-4606-b444-0ed7410cb728
view Sigma YAML 
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1211
    - attack.t1059
    - attack.persistence
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains:
            - 'echo'
            - 'copy'
            - 'type'
            - 'file createnew'
            - 'cacls'
    selection_2:
        CommandLine|contains: 'C:\Windows\Fonts\'
    selection_3:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh'
            - '.reg'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
            - '.inf'
            - '.cpl'
            - '.hta'
            - '.msi'
            - '.vbs'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin