Home/Sigma rules
Sigma

Sigma detection rules

3 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

3 shown of 3
medium
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
status test author frack113, Duc.Le-GTSC id d93129cd-1ee0-479f-bc03-ca6f129882e3
view Sigma YAML 
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
    Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
    This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
    - attack.discovery
    - attack.stealth
    - attack.t1497.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_action:
        ScriptBlockText|contains:
            - Get-WmiObject
            - gwmi
    selection_module:
        ScriptBlockText|contains:
            - MSAcpi_ThermalZoneTemperature
            - Win32_ComputerSystem
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
medium
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
status test author Stephen Lincoln `@slincoln_aiq` (AttackIQ) id 4809c683-059b-4935-879d-36835986f8cf
view Sigma YAML 
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
    Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
    This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
    - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
    - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
    - https://ss64.com/mac/system_profiler.html
    - https://objective-see.org/blog/blog_0x62.html
    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
    - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
    - attack.discovery
    - attack.stealth
    - attack.t1082
    - attack.t1497.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '/system_profiler'
        - CommandLine|contains: 'system_profiler'
    selection_cmd:
        # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
        CommandLine|contains:
            - 'SPApplicationsDataType'
            - 'SPHardwareDataType'
            - 'SPNetworkDataType'
            - 'SPUSBDataType'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium
medium
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
status test author Pratinav Chandra id 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
view Sigma YAML 
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
    Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
    This process is primarily used to detect and avoid virtualization and analysis environments.
references:
    - https://www.loobins.io/binaries/sysctl/#
    - https://evasions.checkpoint.com/techniques/macos.html
    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://objective-see.org/blog/blog_0x1E.html
    - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
    - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
    - attack.stealth
    - attack.t1497.001
    - attack.discovery
    - attack.t1082
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '/sysctl'
        - CommandLine|contains: 'sysctl'
    selection_cmd:
        CommandLine|contains:
            - 'hw.'
            - 'kern.'
            - 'machdep.'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin