Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects PowerShell scripts to set the ACL to a file in the Windows folder
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 3bf1d859-3a7e-44cb-8809-a99e066d3478
view Sigma YAML
title: PowerShell Set-Acl On Windows Folder - PsScript
id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
ScriptBlockText|contains:
- '-Path "C:\Windows'
- '-Path "C:/Windows'
- "-Path 'C:\\Windows"
- "-Path 'C:/Windows"
- '-Path C:\\Windows'
- '-Path C:/Windows'
- '-Path $env:windir'
- '-Path "$env:windir'
- "-Path '$env:windir"
selection_permissions:
# Note: Add more suspicious permissions
ScriptBlockText|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
medium
Chmod Targeting Sensitive Directories
Detects chmod targeting files in sensitive directory paths on Linux systems.
Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
status testauthor Christopher Peacock @SecurePeacock, SCYTHE @scythe_ioid 6419afd1-3742-47a5-a7e6-b50386cd15f8
view Sigma YAML
title: Chmod Targeting Sensitive Directories
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: |
Detects chmod targeting files in sensitive directory paths on Linux systems.
Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
references:
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
modified: 2026-03-18
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chmod'
CommandLine|contains:
- '/tmp/'
- '/.Library/'
- '/etc/'
- '/opt/'
filter_main_update_shells:
CommandLine|contains: 'chmod --reference=/etc/shells'
ParentCommandLine|endswith: '/update-shells'
filter_main_postinst:
CommandLine|contains: '/etc/'
ParentCommandLine|contains|all:
- '/var/lib/dpkg/info/'
- '.postinst configure'
filter_main_apt_key:
CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
filter_main_mkinitramfs:
CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
filter_main_landscape:
CommandLine: 'chmod 0775 /etc/landscape/'
filter_main_ubuntu_apparmor:
CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
status testauthor frack113, The DFIR Reportid c0b2768a-dd06-4671-8339-b16ca8d1f27f
view Sigma YAML
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
medium
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 34979410-e4b5-4e5d-8cfb-389fdff05c12
view Sigma YAML
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
medium
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
status testauthor Jakob Weinzettl, oscd.communityid a5b977d6-8a81-4475-91b9-49dbfcd941f7
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
status testauthor frack113id 554601fb-9b71-4bcc-abf4-21a611be4fde
view Sigma YAML
title: Suspicious Recursive Takeown
id: 554601fb-9b71-4bcc-abf4-21a611be4fde
status: test
description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
author: frack113
date: 2022-01-30
modified: 2022-11-21
tags:
- attack.defense-impairment
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\takeown.exe'
CommandLine|contains|all:
- '/f '
- '/r'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
low
File or Folder Permissions Change
Detects file and folder permission changes.
status testauthor Jakob Weinzettl, oscd.communityid 74c01ace-0152-4094-8ae2-6fd776dd43e5
view Sigma YAML
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: test
description: Detects file and folder permission changes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour).
level: low
low
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id cae80281-ef23-44c5-873b-fd48d2666f49
view Sigma YAML
title: PowerShell Script Change Permission Via Set-Acl - PsScript
id: cae80281-ef23-44c5-873b-fd48d2666f49
related:
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell scripts set ACL to of a file or a folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
condition: selection
falsepositives:
- Unknown
level: low