Home/Sigma rules
Sigma

Sigma detection rules

13 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

13 shown of 13
high
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
status test author Florian Roth (Nextron Systems) id 9069ea3c-b213-4c52-be13-86506a227ab1
view Sigma YAML 
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
    - attack.impact
    - attack.t1496
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - ' --cpu-priority='
            - '--donate-level=0'
            - ' -o pool.'
            - ' --nicehash'
            - ' --algo=rx/0 '
            - 'stratum+tcp://'
            - 'stratum+udp://'
            # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
            - 'sh -c /sbin/modprobe msr allow_writes=on'
            # base64 encoded: --donate-level=
            - 'LS1kb25hdGUtbGV2ZWw9'
            - '0tZG9uYXRlLWxldmVsP'
            - 'tLWRvbmF0ZS1sZXZlbD'
            # base64 encoded: stratum+tcp:// and stratum+udp://
            - 'c3RyYXR1bSt0Y3A6Ly'
            - 'N0cmF0dW0rdGNwOi8v'
            - 'zdHJhdHVtK3RjcDovL'
            - 'c3RyYXR1bSt1ZHA6Ly'
            - 'N0cmF0dW0rdWRwOi8v'
            - 'zdHJhdHVtK3VkcDovL'
    condition: selection
falsepositives:
    - Legitimate use of crypto miners
level: high
high
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
status stable author Florian Roth (Nextron Systems) id a46c93b7-55ed-4d27-a41b-c259456c4746
view Sigma YAML 
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
    - attack.impact
    - attack.t1496
logsource:
    product: linux
    category: network_connection
detection:
    selection:
        DestinationHostname:
            - 'pool.minexmr.com'
            - 'fr.minexmr.com'
            - 'de.minexmr.com'
            - 'sg.minexmr.com'
            - 'ca.minexmr.com'
            - 'us-west.minexmr.com'
            - 'pool.supportxmr.com'
            - 'mine.c3pool.com'
            - 'xmr-eu1.nanopool.org'
            - 'xmr-eu2.nanopool.org'
            - 'xmr-us-east1.nanopool.org'
            - 'xmr-us-west1.nanopool.org'
            - 'xmr-asia1.nanopool.org'
            - 'xmr-jp1.nanopool.org'
            - 'xmr-au1.nanopool.org'
            - 'xmr.2miners.com'
            - 'xmr.hashcity.org'
            - 'xmr.f2pool.com'
            - 'xmrpool.eu'
            - 'pool.hashvault.pro'
            - 'moneroocean.stream'
            - 'monerocean.stream'
    condition: selection
falsepositives:
    - Legitimate use of crypto miners
level: high
high
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
status stable author Florian Roth (Nextron Systems) id b593fd50-7335-4682-a36c-4edcb68e4641
view Sigma YAML 
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
    - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
    - attack.impact
    - attack.t1496
    - attack.exfiltration
    - attack.t1567
logsource:
    category: dns
detection:
    selection:
        query|contains:
            - 'pool.minexmr.com'
            - 'fr.minexmr.com'
            - 'de.minexmr.com'
            - 'sg.minexmr.com'
            - 'ca.minexmr.com'
            - 'us-west.minexmr.com'
            - 'pool.supportxmr.com'
            - 'mine.c3pool.com'
            - 'xmr-eu1.nanopool.org'
            - 'xmr-eu2.nanopool.org'
            - 'xmr-us-east1.nanopool.org'
            - 'xmr-us-west1.nanopool.org'
            - 'xmr-asia1.nanopool.org'
            - 'xmr-jp1.nanopool.org'
            - 'xmr-au1.nanopool.org'
            - 'xmr.2miners.com'
            - 'xmr.hashcity.org'
            - 'xmr.f2pool.com'
            - 'xmrpool.eu'
            - 'pool.hashvault.pro'
    condition: selection
falsepositives:
    - Legitimate crypto coin mining
level: high
high
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
status stable author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id fa5b1358-b040-4403-9868-15f7d9ab6329
view Sigma YAML 
title: Network Communication With Crypto Mining Pool
id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects initiated network connections to crypto mining pools
references:
    - https://www.poolwatch.io/coin/monero
    - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
    - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-26
modified: 2024-01-19
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname:
            - 'alimabi.cn'
            - 'ap.luckpool.net'
            - 'bcn.pool.minergate.com'
            - 'bcn.vip.pool.minergate.com'
            - 'bohemianpool.com'
            - 'ca-aipg.miningocean.org'
            - 'ca-dynex.miningocean.org'
            - 'ca-neurai.miningocean.org'
            - 'ca-qrl.miningocean.org'
            - 'ca-upx.miningocean.org'
            - 'ca-zephyr.miningocean.org'
            - 'ca.minexmr.com'
            - 'ca.monero.herominers.com'
            - 'cbd.monerpool.org'
            - 'cbdv2.monerpool.org'
            - 'cryptmonero.com'
            - 'crypto-pool.fr'
            - 'crypto-pool.info'
            - 'cryptonight-hub.miningpoolhub.com'
            - 'd1pool.ddns.net'
            - 'd5pool.us'
            - 'daili01.monerpool.org'
            - 'de-aipg.miningocean.org'
            - 'de-dynex.miningocean.org'
            - 'de-zephyr.miningocean.org'
            - 'de.minexmr.com'
            - 'dl.nbminer.com'
            - 'donate.graef.in'
            - 'donate.ssl.xmrig.com'
            - 'donate.v2.xmrig.com'
            - 'donate.xmrig.com'
            - 'donate2.graef.in'
            - 'drill.moneroworld.com'
            - 'dwarfpool.com'
            - 'emercoin.com'
            - 'emercoin.net'
            - 'emergate.net'
            - 'ethereumpool.co'
            - 'eu.luckpool.net'
            - 'eu.minerpool.pw'
            - 'fcn-xmr.pool.minergate.com'
            - 'fee.xmrig.com'
            - 'fr-aipg.miningocean.org'
            - 'fr-dynex.miningocean.org'
            - 'fr-neurai.miningocean.org'
            - 'fr-qrl.miningocean.org'
            - 'fr-upx.miningocean.org'
            - 'fr-zephyr.miningocean.org'
            - 'fr.minexmr.com'
            - 'hellominer.com'
            - 'herominers.com'
            - 'hk-aipg.miningocean.org'
            - 'hk-dynex.miningocean.org'
            - 'hk-neurai.miningocean.org'
            - 'hk-qrl.miningocean.org'
            - 'hk-upx.miningocean.org'
            - 'hk-zephyr.miningocean.org'
            - 'huadong1-aeon.ppxxmr.com'
            - 'iwanttoearn.money'
            - 'jw-js1.ppxxmr.com'
            - 'koto-pool.work'
            - 'lhr.nbminer.com'
            - 'lhr3.nbminer.com'
            - 'linux.monerpool.org'
            - 'lokiturtle.herominers.com'
            - 'luckpool.net'
            - 'masari.miner.rocks'
            - 'mine.c3pool.com'
            - 'mine.moneropool.com'
            - 'mine.ppxxmr.com'
            - 'mine.zpool.ca'
            - 'mine1.ppxxmr.com'
            - 'minemonero.gq'
            - 'miner.ppxxmr.com'
            - 'miner.rocks'
            - 'minercircle.com'
            - 'minergate.com'
            - 'minerpool.pw'
            - 'minerrocks.com'
            - 'miners.pro'
            - 'minerxmr.ru'
            - 'minexmr.cn'
            - 'minexmr.com'
            - 'mining-help.ru'
            - 'miningpoolhub.com'
            - 'mixpools.org'
            - 'moner.monerpool.org'
            - 'moner1min.monerpool.org'
            - 'monero-master.crypto-pool.fr'
            - 'monero.crypto-pool.fr'
            - 'monero.hashvault.pro'
            - 'monero.herominers.com'
            - 'monero.lindon-pool.win'
            - 'monero.miners.pro'
            - 'monero.riefly.id'
            - 'monero.us.to'
            - 'monerocean.stream'
            - 'monerogb.com'
            - 'monerohash.com'
            - 'moneroocean.stream'
            - 'moneropool.com'
            - 'moneropool.nl'
            - 'monerorx.com'
            - 'monerpool.org'
            - 'moriaxmr.com'
            - 'mro.pool.minergate.com'
            - 'multipool.us'
            - 'myxmr.pw'
            - 'na.luckpool.net'
            - 'nanopool.org'
            - 'nbminer.com'
            - 'node3.luckpool.net'
            - 'noobxmr.com'
            - 'pangolinminer.comgandalph3000.com'
            - 'pool.4i7i.com'
            - 'pool.armornetwork.org'
            - 'pool.cortins.tk'
            - 'pool.gntl.co.uk'
            - 'pool.hashvault.pro'
            - 'pool.minergate.com'
            - 'pool.minexmr.com'
            - 'pool.monero.hashvault.pro'
            - 'pool.ppxxmr.com'
            - 'pool.somec.cc'
            - 'pool.support'
            - 'pool.supportxmr.com'
            - 'pool.usa-138.com'
            - 'pool.xmr.pt'
            - 'pool.xmrfast.com'
            - 'pool2.armornetwork.org'
            - 'poolchange.ppxxmr.com'
            - 'pooldd.com'
            - 'poolmining.org'
            - 'poolto.be'
            - 'ppxvip1.ppxxmr.com'
            - 'ppxxmr.com'
            - 'prohash.net'
            - 'r.twotouchauthentication.online'
            - 'randomx.xmrig.com'
            - 'ratchetmining.com'
            - 'seed.emercoin.com'
            - 'seed.emercoin.net'
            - 'seed.emergate.net'
            - 'seed1.joulecoin.org'
            - 'seed2.joulecoin.org'
            - 'seed3.joulecoin.org'
            - 'seed4.joulecoin.org'
            - 'seed5.joulecoin.org'
            - 'seed6.joulecoin.org'
            - 'seed7.joulecoin.org'
            - 'seed8.joulecoin.org'
            - 'sg-aipg.miningocean.org'
            - 'sg-dynex.miningocean.org'
            - 'sg-neurai.miningocean.org'
            - 'sg-qrl.miningocean.org'
            - 'sg-upx.miningocean.org'
            - 'sg-zephyr.miningocean.org'
            - 'sg.minexmr.com'
            - 'sheepman.mine.bz'
            - 'siamining.com'
            - 'sumokoin.minerrocks.com'
            - 'supportxmr.com'
            - 'suprnova.cc'
            - 'teracycle.net'
            - 'trtl.cnpool.cc'
            - 'trtl.pool.mine2gether.com'
            - 'turtle.miner.rocks'
            - 'us-aipg.miningocean.org'
            - 'us-dynex.miningocean.org'
            - 'us-neurai.miningocean.org'
            - 'us-west.minexmr.com'
            - 'us-zephyr.miningocean.org'
            - 'usxmrpool.com'
            - 'viaxmr.com'
            - 'webservicepag.webhop.net'
            - 'xiazai.monerpool.org'
            - 'xiazai1.monerpool.org'
            - 'xmc.pool.minergate.com'
            - 'xmo.pool.minergate.com'
            - 'xmr-asia1.nanopool.org'
            - 'xmr-au1.nanopool.org'
            - 'xmr-eu1.nanopool.org'
            - 'xmr-eu2.nanopool.org'
            - 'xmr-jp1.nanopool.org'
            - 'xmr-us-east1.nanopool.org'
            - 'xmr-us-west1.nanopool.org'
            - 'xmr-us.suprnova.cc'
            - 'xmr-usa.dwarfpool.com'
            - 'xmr.2miners.com'
            - 'xmr.5b6b7b.ru'
            - 'xmr.alimabi.cn'
            - 'xmr.bohemianpool.com'
            - 'xmr.crypto-pool.fr'
            - 'xmr.crypto-pool.info'
            - 'xmr.f2pool.com'
            - 'xmr.hashcity.org'
            - 'xmr.hex7e4.ru'
            - 'xmr.ip28.net'
            - 'xmr.monerpool.org'
            - 'xmr.mypool.online'
            - 'xmr.nanopool.org'
            - 'xmr.pool.gntl.co.uk'
            - 'xmr.pool.minergate.com'
            - 'xmr.poolto.be'
            - 'xmr.ppxxmr.com'
            - 'xmr.prohash.net'
            - 'xmr.simka.pw'
            - 'xmr.somec.cc'
            - 'xmr.suprnova.cc'
            - 'xmr.usa-138.com'
            - 'xmr.vip.pool.minergate.com'
            - 'xmr1min.monerpool.org'
            - 'xmrf.520fjh.org'
            - 'xmrf.fjhan.club'
            - 'xmrfast.com'
            - 'xmrigcc.graef.in'
            - 'xmrminer.cc'
            - 'xmrpool.de'
            - 'xmrpool.eu'
            - 'xmrpool.me'
            - 'xmrpool.net'
            - 'xmrpool.xyz'
            - 'xx11m.monerpool.org'
            - 'xx11mv2.monerpool.org'
            - 'xxx.hex7e4.ru'
            - 'zarabotaibitok.ru'
            - 'zer0day.ru'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
status stable author Florian Roth (Nextron Systems) id 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
view Sigma YAML 
title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' --cpu-priority='
            - '--donate-level=0'
            - ' -o pool.'
            - ' --nicehash'
            - ' --algo=rx/0 '
            - 'stratum+tcp://'
            - 'stratum+udp://'
            # base64 encoded: --donate-level=
            - 'LS1kb25hdGUtbGV2ZWw9'
            - '0tZG9uYXRlLWxldmVsP'
            - 'tLWRvbmF0ZS1sZXZlbD'
            # base64 encoded: stratum+tcp:// and stratum+udp://
            - 'c3RyYXR1bSt0Y3A6Ly'
            - 'N0cmF0dW0rdGNwOi8v'
            - 'zdHJhdHVtK3RjcDovL'
            - 'c3RyYXR1bSt1ZHA6Ly'
            - 'N0cmF0dW0rdWRwOi8v'
            - 'zdHJhdHVtK3VkcDovL'
    filter:
        CommandLine|contains:
            - ' pool.c '
            - ' pool.o '
            - 'gcc -'
    condition: selection and not filter
falsepositives:
    - Legitimate use of crypto miners
    - Some build frameworks
level: high
medium
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
status test author Austin Songer @austinsonger id 08d6ac24-c927-4469-b3b7-2e422d6e3c43
view Sigma YAML 
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
    condition: selection
falsepositives:
    - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
status test author Austin Songer @austinsonger id 25cb259b-bbdc-4b87-98b7-90d7c72f8743
view Sigma YAML 
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
    condition: selection
falsepositives:
    - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
status test author Austin Songer @austinsonger id 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
view Sigma YAML 
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
    condition: selection
falsepositives:
    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Sensitive Role Access
Identifies when ClusterRoles/Roles are being modified or deleted.
status test author Austin Songer @austinsonger id 818fee0c-e0ec-4e45-824e-83e4817b0887
view Sigma YAML 
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
    condition: selection
falsepositives:
    - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
status test author Austin Songer @austinsonger id 12d027c3-b48c-4d9d-8bb6-a732200034b2
view Sigma YAML 
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1531
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
    condition: selection
falsepositives:
    - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
low
Azure Container Registry Created or Deleted
Detects when a Container Registry is created or deleted.
status test author Austin Songer @austinsonger id 93e0ef48-37c8-49ed-a02c-038aab23628e
view Sigma YAML 
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
    condition: selection
falsepositives:
    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
low
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
status test author Austin Songer @austinsonger id 9541f321-7cba-4b43-80fc-fbd1fb922808
view Sigma YAML 
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
    condition: selection
falsepositives:
    - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
low
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
status test author Saw Winn Naung, Azure-Sentinel, @neu5ron id bf74135c-18e8-4a72-a926-0e4f47888c19
view Sigma YAML 
title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
    - attack.execution
    - attack.t1569.002
    - attack.impact
    - attack.t1496
logsource:
    service: dns
    product: zeek
detection:
    selection:
        query|endswith:
            - 'monerohash.com'
            - 'do-dear.com'
            - 'xmrminerpro.com'
            - 'secumine.net'
            - 'xmrpool.com'
            - 'minexmr.org'
            - 'hashanywhere.com'
            - 'xmrget.com'
            - 'mininglottery.eu'
            - 'minergate.com'
            - 'moriaxmr.com'
            - 'multipooler.com'
            - 'moneropools.com'
            - 'xmrpool.eu'
            - 'coolmining.club'
            - 'supportxmr.com'
            - 'minexmr.com'
            - 'hashvault.pro'
            - 'xmrpool.net'
            - 'crypto-pool.fr'
            - 'xmr.pt'
            - 'miner.rocks'
            - 'walpool.com'
            - 'herominers.com'
            - 'gntl.co.uk'
            - 'semipool.com'
            - 'coinfoundry.org'
            - 'cryptoknight.cc'
            - 'fairhash.org'
            - 'baikalmine.com'
            - 'tubepool.xyz'
            - 'fairpool.xyz'
            - 'asiapool.io'
            - 'coinpoolit.webhop.me'
            - 'nanopool.org'
            - 'moneropool.com'
            - 'miner.center'
            - 'prohash.net'
            - 'poolto.be'
            - 'cryptoescrow.eu'
            - 'monerominers.net'
            - 'cryptonotepool.org'
            - 'extrmepool.org'
            - 'webcoin.me'
            - 'kippo.eu'
            - 'hashinvest.ws'
            - 'monero.farm'
            - 'linux-repository-updates.com'
            - '1gh.com'
            - 'dwarfpool.com'
            - 'hash-to-coins.com'
            - 'pool-proxy.com'
            - 'hashfor.cash'
            - 'fairpool.cloud'
            - 'litecoinpool.org'
            - 'mineshaft.ml'
            - 'abcxyz.stream'
            - 'moneropool.ru'
            - 'cryptonotepool.org.uk'
            - 'extremepool.org'
            - 'extremehash.com'
            - 'hashinvest.net'
            - 'unipool.pro'
            - 'crypto-pools.org'
            - 'monero.net'
            - 'backup-pool.com'
            - 'mooo.com' # Dynamic DNS, may want to exclude
            - 'freeyy.me'
            - 'cryptonight.net'
            - 'shscrypto.net'
    exclude_answers:
        answers:
            - '127.0.0.1'
            - '0.0.0.0'
    exclude_rejected:
        rejected: 'true'
    condition: selection and not 1 of exclude_*
falsepositives:
    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low
Showing 1-13 of 13
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin