Sigma detection rules

Home/Sigma rules

Sigma

19 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

19 shown of 19

high

Delete All Scheduled Tasks

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

status test author Nasreddine Bencherchali (Nextron Systems) id 220457c1-1c9f-4c2e-afe6-9598926222c1

view Sigma YAML

title: Delete All Scheduled Tasks
id: 220457c1-1c9f-4c2e-afe6-9598926222c1
status: test
description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /delete '
            - '/tn \*'
            - ' /f'
    condition: selection
falsepositives:
    - Unlikely
level: high

high

Delete Important Scheduled Task

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

status test author Nasreddine Bencherchali (Nextron Systems) id dbc1f800-0fe0-4bc0-9c66-292c2abe3f78

view Sigma YAML

title: Delete Important Scheduled Task
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
related:
    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
      type: similar
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
status: test
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_delete:
        CommandLine|contains|windash: '/delete'
    selection_cli_task:
        CommandLine|contains:
            # Add more important tasks
            - '\Windows\BitLocker'
            - '\Windows\ExploitGuard'
            - '\Windows\SystemRestore\SR'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml

high

Disable Important Scheduled Task

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

status test author frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior id 9ac94dc8-9042-493c-ba45-3b5e7c86b980

view Sigma YAML

title: Disable Important Scheduled Task
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
related:
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
      type: similar
status: test
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2021-12-26
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_disable:
        CommandLine|contains|windash: '/disable'
    selection_cli_task:
        CommandLine|contains:
            # Add more important tasks
            - '\Windows\BitLocker'
            - '\Windows\ExploitGuard'
            - '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh'
            - '\Windows\SystemRestore\SR'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - Disable the SR scheduled task
      technique: T1490
      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

high

Important Scheduled Task Deleted or Disabled

Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

status test author frack113 id 9e3cb244-bdb8-4632-8c90-6079c8f4f16d

view Sigma YAML

title: Important Scheduled Task Deleted or Disabled
id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
related:
    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
      type: similar
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
      type: similar
status: test
description: |
    Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
author: frack113
date: 2023-01-13
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    product: windows
    service: taskscheduler
    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
    selection:
        EventID:
            - 141 # Task Deleted
            - 142 # Task Disabled
        TaskName|contains:
            - '\Windows\SystemRestore\SR'
            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\ExploitGuard'
    filter_main_user:
        UserName|contains:
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - Disable the SR scheduled task
      technique: T1490
      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

high

Suspicious Windows Service Tampering

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

status test author Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems) id ce72ef99-22f1-43d4-8695-419dcb5d9330

view Sigma YAML

title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
      type: obsolete
    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
      type: obsolete
status: test
description: |
    Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
    - attack.impact
    - attack.defense-impairment
    - attack.t1489
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_img:
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
              - 'PowerShell_ISE.EXE'
              - 'PowerShell.EXE'
              - 'psservice.exe'
              - 'pwsh.dll'
              - 'sc.exe'
              - 'wmic.exe'
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
              - '\PowerShell_ISE.EXE'
              - '\powershell.exe'
              - '\PsService.exe'
              - '\PsService64.exe'
              - '\pwsh.exe'
              - '\sc.exe'
              - '\wmic.exe' # wmic process call win32_service where name='servicename' delete
    selection_tools_cli:
        - CommandLine|contains:
              - ' delete '
              - '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
              - ' pause ' # Covers flags from: PsService and Sc.EXE
              - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
              - 'Stop-Service '
              - 'Remove-Service '
        - CommandLine|contains|all:
              - 'config'
              - 'start=disabled'
    selection_services:
        CommandLine|contains:
            - '143Svc'
            - 'Acronis VSS Provider'
            - 'AcronisAgent'
            - 'AcrSch2Svc'
            - 'AdobeARMservice'
            - 'AHS Service'
            - 'Antivirus'
            - 'Apache4'
            - 'ARSM'
            - 'aswBcc'
            - 'AteraAgent'
            - 'Avast Business Console Client Antivirus Service'
            - 'avast! Antivirus'
            - 'AVG Antivirus'
            - 'avgAdminClient'
            - 'AvgAdminServer'
            - 'AVP1'
            - 'BackupExec'
            - 'bedbg'
            - 'BITS'
            - 'BrokerInfrastructure'
            - 'CASLicenceServer'
            - 'CASWebServer'
            - 'Client Agent 7.60'
            - 'Core Browsing Protection'
            - 'Core Mail Protection'
            - 'Core Scanning Server'
            - 'DCAgent'
            - 'dwmrcs'
            - 'EhttpSr'
            - 'ekrn'
            - 'Enterprise Client Service'
            - 'epag'
            - 'EPIntegrationService'
            - 'EPProtectedService'
            - 'EPRedline'
            - 'EPSecurityService'
            - 'EPUpdateService'
            - 'EraserSvc11710'
            - 'EsgShKernel'
            - 'ESHASRV'
            - 'FA_Scheduler'
            - 'FirebirdGuardianDefaultInstance'
            - 'FirebirdServerDefaultInstance'
            - 'FontCache3.0.0.0'
            - 'HealthTLService'
            - 'hmpalertsvc'
            - 'HMS'
            - 'HostControllerService'
            - 'hvdsvc'
            - 'IAStorDataMgrSvc'
            - 'IBMHPS'
            - 'ibmspsvc'
            - 'IISAdmin'
            - 'IMANSVC'
            - 'IMAP4Svc'
            - 'instance2'
            - 'KAVFS'
            - 'KAVFSGT'
            - 'kavfsslp'
            - 'KeyIso'
            - 'klbackupdisk'
            - 'klbackupflt'
            - 'klflt'
            - 'klhk'
            - 'KLIF'
            - 'klim6'
            - 'klkbdflt'
            - 'klmouflt'
            - 'klnagent'
            - 'klpd'
            - 'kltap'
            - 'KSDE1.0.0'
            - 'LogProcessorService'
            - 'M8EndpointAgent'
            - 'macmnsvc'
            - 'masvc'
            - 'MBAMService'
            - 'MBCloudEA'
            - 'MBEndpointAgent'
            - 'McAfeeDLPAgentService'
            - 'McAfeeEngineService'
            - 'MCAFEEEVENTPARSERSRV'
            - 'McAfeeFramework'
            - 'MCAFEETOMCATSRV530'
            - 'McShield'
            - 'McTaskManager'
            - 'mfefire'
            - 'mfemms'
            - 'mfevto'
            - 'mfevtp'
            - 'mfewc'
            - 'MMS'
            - 'mozyprobackup'
            - 'mpssvc'
            - 'MSComplianceAudit'
            - 'MSDTC'
            - 'MsDtsServer'
            - 'MSExchange'
            - 'msftesq1SPROO'
            - 'msftesql$PROD'
            - 'msftesql$SQLEXPRESS'
            - 'MSOLAP$SQL_2008'
            - 'MSOLAP$SYSTEM_BGC'
            - 'MSOLAP$TPS'
            - 'MSOLAP$TPSAMA'
            - 'MSOLAPSTPS'
            - 'MSOLAPSTPSAMA'
            - 'mssecflt'
            - 'MSSQ!I.SPROFXENGAGEMEHT'
            - 'MSSQ0SHAREPOINT'
            - 'MSSQ0SOPHOS'
            - 'MSSQL'
            - 'MSSQLFDLauncher$'
            - 'MySQL'
            - 'NanoServiceMain'
            - 'NetMsmqActivator'
            - 'NetPipeActivator'
            - 'netprofm'
            - 'NetTcpActivator'
            - 'NetTcpPortSharing'
            - 'ntrtscan'
            - 'nvspwmi'
            - 'ofcservice'
            - 'Online Protection System'
            - 'OracleClientCache80'
            - 'OracleDBConsole'
            - 'OracleMTSRecoveryService'
            - 'OracleOraDb11g_home1'
            - 'OracleService'
            - 'OracleVssWriter'
            - 'osppsvc'
            - 'PandaAetherAgent'
            - 'PccNTUpd'
            - 'PDVFSService'
            - 'POP3Svc'
            - 'postgresql-x64-9.4'
            - 'POVFSService'
            - 'PSUAService'
            - 'Quick Update Service'
            - 'RepairService'
            - 'ReportServer'
            - 'ReportServer$'
            - 'RESvc'
            - 'RpcEptMapper'
            - 'sacsvr'
            - 'SamSs'
            - 'SAVAdminService'
            - 'SAVService'
            - 'ScSecSvc'
            - 'SDRSVC'
            - 'SearchExchangeTracing'
            - 'sense'
            - 'SentinelAgent'
            - 'SentinelHelperService'
            - 'SepMasterService'
            - 'ShMonitor'
            - 'Smcinst'
            - 'SmcService'
            - 'SMTPSvc'
            - 'SNAC'
            - 'SntpService'
            - 'Sophos'
            - 'SQ1SafeOLRService'
            - 'SQL Backups'
            - 'SQL Server'
            - 'SQLAgent'
            - 'SQLANYs_Sage_FAS_Fixed_Assets'
            - 'SQLBrowser'
            - 'SQLsafe'
            - 'SQLSERVERAGENT'
            - 'SQLTELEMETRY'
            - 'SQLWriter'
            - 'SSISTELEMETRY130'
            - 'SstpSvc'
            - 'storflt'
            - 'svcGenericHost'
            - 'swc_service'
            - 'swi_filter'
            - 'swi_service'
            - 'swi_update'
            - 'Symantec'
            - 'sysmon'
            - 'TeamViewer'
            - 'Telemetryserver'
            - 'ThreatLockerService'
            - 'TMBMServer'
            - 'TmCCSF'
            - 'TmFilter'
            - 'TMiCRCScanService'
            - 'tmlisten'
            - 'TMLWCSService'
            - 'TmPfw'
            - 'TmPreFilter'
            - 'TmProxy'
            - 'TMSmartRelayService'
            - 'tmusa'
            - 'Tomcat'
            - 'Trend Micro Deep Security Manager'
            - 'TrueKey'
            - 'UFNet'
            - 'UI0Detect'
            - 'UniFi'
            - 'UTODetect'
            - 'vds'
            - 'Veeam'
            - 'VeeamDeploySvc'
            - 'Veritas System Recovery'
            - 'vmic'
            - 'VMTools'
            - 'vmvss'
            - 'VSApiNt'
            - 'VSS'
            - 'W3Svc'
            - 'wbengine'
            - 'WdNisSvc'
            - 'WeanClOudSve'
            - 'Weems JY'
            - 'WinDefend'
            - 'wmms'
            - 'wozyprobackup'
            - 'WPFFontCache_v0400'
            - 'WRSVC'
            - 'wsbexchange'
            - 'WSearch'
            - 'wscsvc'
            - 'Zoolz 2 Service'
    condition: all of selection_*
falsepositives:
    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high

medium

Azure Application Deleted

Identifies when a application is deleted in Azure.

status test author Austin Songer @austinsonger id 410d2a41-1e6d-452f-85e5-abdd8257a823

view Sigma YAML

title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
status: test
description: Identifies when a application is deleted in Azure.
references:
    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        properties.message:
            - Delete application
            - Hard Delete application
    condition: selection
falsepositives:
    - Application being deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Azure Kubernetes Network Policy Change

Identifies when a Azure Kubernetes network policy is modified or deleted.

status test author Austin Songer @austinsonger id 08d6ac24-c927-4469-b3b7-2e422d6e3c43

view Sigma YAML

title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
    condition: selection
falsepositives:
    - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

status test author Austin Songer @austinsonger id 25cb259b-bbdc-4b87-98b7-90d7c72f8743

view Sigma YAML

title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
    condition: selection
falsepositives:
    - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

status test author Austin Songer @austinsonger id 7ee0b4aa-d8d4-4088-b661-20efdf41a04c

view Sigma YAML

title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
    condition: selection
falsepositives:
    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Azure Kubernetes Sensitive Role Access

Identifies when ClusterRoles/Roles are being modified or deleted.

status test author Austin Songer @austinsonger id 818fee0c-e0ec-4e45-824e-83e4817b0887

view Sigma YAML

title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
    condition: selection
falsepositives:
    - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Azure Kubernetes Service Account Modified or Deleted

Identifies when a service account is modified or deleted.

status test author Austin Songer @austinsonger id 12d027c3-b48c-4d9d-8bb6-a732200034b2

view Sigma YAML

title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1531
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
    condition: selection
falsepositives:
    - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

medium

Disable Or Stop Services

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems. Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.

status test author Nasreddine Bencherchali (Nextron Systems) id de25eeb8-3655-4643-ac3a-b662d3f26b6b

view Sigma YAML

title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
    Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
    Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/service'
            - '/systemctl'
            - '/chkconfig'
        CommandLine|contains:
            - ' stop '
            - ' disable '
    filter_main_legit_snapd:
        Image|endswith: '/systemctl'
        CommandLine|contains:
            - '--no-reload disable snap-snapd-'
            - ' stop snap-snapd-'
    filter_main_ssh_preinstall:
        Image|endswith: '/systemctl'
        ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
        CommandLine|contains|all:
            - ' stop '
            - 'ssh.'
    filter_main_ubuntu_upgrade:
        ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
        Image|endswith: '/systemctl'
    filter_optional_aws_agent:
        Image|endswith: '/systemctl'
        CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activities
    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium

medium

Potential Abuse of Linux Magic System Request Key

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

status experimental author Milad Cheraghi id ea61bb82-a5e0-42e6-8537-91d29500f1b9

view Sigma YAML

title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
    Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
    to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
    or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
    misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
    - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
    - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
    - attack.execution
    - attack.t1059.004
    - attack.impact
    - attack.t1529
    - attack.t1489
    - attack.t1499
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -w /proc/sysrq-trigger -p wa -k sysrq
        -w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
    selection:
        type: 'PATH'
        name|endswith:
            # Enable
            - '/sysrq'
            - '/sysctl.conf'
            # Execute
            - '/sysrq-trigger'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: medium

low

Application Uninstalled

An application has been removed. Check if it is critical.

status test author frack113 id 570ae5ec-33dc-427c-b815-db86228ad43e

view Sigma YAML

title: Application Uninstalled
id: 570ae5ec-33dc-427c-b815-db86228ad43e
status: test
description: An application has been removed. Check if it is critical.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
    - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
author: frack113
date: 2022-01-28
modified: 2022-09-17
tags:
    - attack.impact
    - attack.t1489
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1034 # Windows Installer removed the product
            - 11724 # Product Removal Successful
    condition: selection
falsepositives:
    - Unknown
# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
level: low

low

Azure Container Registry Created or Deleted

Detects when a Container Registry is created or deleted.

status test author Austin Songer @austinsonger id 93e0ef48-37c8-49ed-a02c-038aab23628e

view Sigma YAML

title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
    condition: selection
falsepositives:
    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

low

Azure Kubernetes Cluster Created or Deleted

Detects when a Azure Kubernetes Cluster is created or deleted.

status test author Austin Songer @austinsonger id 9541f321-7cba-4b43-80fc-fbd1fb922808

view Sigma YAML

title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
    condition: selection
falsepositives:
    - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

low

Stop Windows Service Via Net.EXE

Detects the stopping of a Windows service via the "net" utility.

status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) id 88872991-7445-4a22-90b2-a3adadb0e827

view Sigma YAML

title: Stop Windows Service Via Net.EXE
id: 88872991-7445-4a22-90b2-a3adadb0e827
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "net" utility.
references:
    - https://ss64.com/nt/net-service.html
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low

low

Stop Windows Service Via PowerShell Stop-Service

Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"

status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) id c49c5062-0966-4170-9efd-9968c913a6cf

view Sigma YAML

title: Stop Windows Service Via PowerShell Stop-Service
id: c49c5062-0966-4170-9efd-9968c913a6cf
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc_net_img:
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_cli:
        CommandLine|contains: 'Stop-Service '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low

low

Stop Windows Service Via Sc.EXE

Detects the stopping of a Windows service via the "sc.exe" utility

status test author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) id 81bcb81b-5b1f-474b-b373-52c871aaa7b1

view Sigma YAML

title: Stop Windows Service Via Sc.EXE
id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "sc.exe" utility
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'sc.exe'
        - Image|endswith: '\sc.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml

Showing 1-19 of 19

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin