Home/Sigma rules
Sigma

Sigma detection rules

19 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

19 shown of 19
high
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
status stable author Ecco, E.M. Anhaus, oscd.community id add64136-62e5-48ea-807e-88638d02df1e
view Sigma YAML 
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high
high
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
status test author frack113 id a4824fca-976f-4964-b334-0621379e84c4
view Sigma YAML 
title: Potential File Overwrite Via Sysinternals SDelete
id: a4824fca-976f-4964-b334-0621379e84c4
status: test
description: Detects the use of SDelete to erase a file not the free space
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: frack113
date: 2021-06-03
modified: 2023-02-28
tags:
    - attack.impact
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: sdelete.exe
    filter:
        CommandLine|contains:
            - ' -h'
            - ' -c'
            - ' -z'
            - ' /\?'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Renamed Sysinternals Sdelete Execution
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
status test author Florian Roth (Nextron Systems) id c1d867fe-8d95-4487-aab4-e53f2d339f90
view Sigma YAML 
title: Renamed Sysinternals Sdelete Execution
id: c1d867fe-8d95-4487-aab4-e53f2d339f90
status: test
description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Florian Roth (Nextron Systems)
date: 2022-09-06
modified: 2023-02-03
tags:
    - attack.impact
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'sdelete.exe'
    filter:
        Image|endswith:
            - '\sdelete.exe'
            - '\sdelete64.exe'
    condition: selection and not filter
falsepositives:
    - System administrator usage
level: high
medium
AWS EFS Fileshare Mount Modified or Deleted
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
status test author Austin Songer @austinsonger id 6a7ba45c-63d8-473e-9736-2eaabff79964
view Sigma YAML 
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
references:
    - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticfilesystem.amazonaws.com
        eventName: DeleteMountTarget
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Azure Device or Configuration Modified or Deleted
Identifies when a device or device configuration in azure is modified or deleted.
status test author Austin Songer @austinsonger id 46530378-f9db-4af9-a9e5-889c177d3881
view Sigma YAML 
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
    - attack.t1565.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        properties.message:
            - Delete device
            - Delete device configuration
            - Update device
            - Update device configuration
    condition: selection
falsepositives:
    - Device or device configuration being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
status test author Austin Songer @austinsonger id 08d6ac24-c927-4469-b3b7-2e422d6e3c43
view Sigma YAML 
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
    condition: selection
falsepositives:
    - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
status test author Austin Songer @austinsonger id 25cb259b-bbdc-4b87-98b7-90d7c72f8743
view Sigma YAML 
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
    condition: selection
falsepositives:
    - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
status test author Austin Songer @austinsonger id 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
view Sigma YAML 
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
    condition: selection
falsepositives:
    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Sensitive Role Access
Identifies when ClusterRoles/Roles are being modified or deleted.
status test author Austin Songer @austinsonger id 818fee0c-e0ec-4e45-824e-83e4817b0887
view Sigma YAML 
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
    condition: selection
falsepositives:
    - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
status test author Austin Songer @austinsonger id 12d027c3-b48c-4d9d-8bb6-a732200034b2
view Sigma YAML 
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1531
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
    condition: selection
falsepositives:
    - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
status test author frack113 id 4b046706-5789-4673-b111-66f25fe99534
view Sigma YAML 
title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
    Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
    Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
    Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
    - attack.impact
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'CIPHER.EXE'
        - Image|endswith: '\cipher.exe'
    selection_cli:
        CommandLine|contains: ' /w:'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
    - type: atomic-red-team
      name: Overwrite deleted data on C drive
      technique: T1485
      atomic_guid: 321fd25e-0007-417f-adec-33232252be19
medium
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
status experimental author Daniel Degasperi '@d4ns4n_' id 00321fee-ca72-4cce-b011-5415af3b9960
view Sigma YAML 
title: MSSQL Destructive Query
id: 00321fee-ca72-4cce-b011-5415af3b9960
status: experimental
description: |
    Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
references:
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
author: Daniel Degasperi '@d4ns4n_'
date: 2025-06-04
tags:
    - attack.exfiltration
    - attack.impact
    - attack.t1485
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
detection:
    selection:
        Provider_Name: 'MSSQLSERVER$AUDIT'
        EventID: 33205
        Data|contains:
            - 'statement:TRUNCATE TABLE'
            - 'statement:DROP TABLE'
            - 'statement:DROP DATABASE'
    condition: selection
falsepositives:
    - Legitimate transaction from a sysadmin.
level: medium
medium
Microsoft 365 - Unusual Volume of File Deletion
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
status test author austinsonger id 78a34b67-3c39-4886-8fb4-61c46dc18ecd
view Sigma YAML 
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Unusual volume of file deletion'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
status test author Thomas Patzke id 39a80702-d7ca-4a83-b776-525b1f86a36d
view Sigma YAML 
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
    - attack.impact
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070.004
    - attack.t1027.005
    - attack.t1485
    - attack.t1553.002
    - attack.s0195
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection
falsepositives:
    - Legitimate usage of SDelete
    - Files that are interacted with that have these extensions legitimately
level: medium
low
AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
status test author Austin Songer id 33d50d03-20ec-4b74-a74e-1e65a38af1c0
view Sigma YAML 
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
status: test
description: Identifies when an EKS cluster is created or deleted.
references:
    - https://any-api.com/amazonaws_com/eks/docs/API_Description
author: Austin Songer
date: 2021-08-16
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: eks.amazonaws.com
        eventName:
            - CreateCluster
            - DeleteCluster
    condition: selection
falsepositives:
    - EKS Cluster being created or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
low
Azure Container Registry Created or Deleted
Detects when a Container Registry is created or deleted.
status test author Austin Songer @austinsonger id 93e0ef48-37c8-49ed-a02c-038aab23628e
view Sigma YAML 
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
    condition: selection
falsepositives:
    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
low
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
status test author Austin Songer @austinsonger id 9541f321-7cba-4b43-80fc-fbd1fb922808
view Sigma YAML 
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
    condition: selection
falsepositives:
    - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
low
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 2953194b-e33c-4859-b9e8-05948c167447
view Sigma YAML 
title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    category: process_creation
detection:
    selection1:
        Image:
            - '/bin/dd'
            - '/usr/bin/dd'
    selection2:
        CommandLine|contains: 'of='
    selection3:
        CommandLine|contains:
            - 'if=/dev/zero'
            - 'if=/dev/null'
    condition: all of selection*
falsepositives:
    - Any user deleting files that way.
level: low
low
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
status stable author Jakob Weinzettl, oscd.community id 37222991-11e9-4b6d-8bdf-60fbe48f753e
view Sigma YAML 
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'
        a1|contains:
            - 'if=/dev/null'
            - 'if=/dev/zero'
    condition: selection
falsepositives:
    - Appending null bytes to files.
    - Legitimate overwrite of files.
level: low
Showing 1-19 of 19
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin