Home/Sigma rules
Sigma

Sigma detection rules

7 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

7 shown of 7
high
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
status test author frack113 id 37db85d1-b089-490a-a59a-c7b6f984f480
view Sigma YAML 
title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: test
description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
author: frack113
date: 2021-12-16
modified: 2023-11-14
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains: ' 385201' # Sysmon driver default altitude
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
medium
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
status test author Daniil Yugoslavskiy, oscd.community id 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
view Sigma YAML 
title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: macos
detection:
    image:
        Image: '/usr/bin/grep'
    selection_cli_1:
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'santad'         # google santa
            - 'CbDefense'      # carbon black
            - 'falcond'        # crowdstrike falcon
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'BlockBlock'     # Objective-See persistence locations watcher/blocker
            - 'LuLu'           # Objective-See firewall management utility
    selection_cli_2: # Objective Development Software firewall management utility
        CommandLine|contains|all:
            - 'Little'
            - 'Snitch'
    condition: image and 1 of selection_cli_*
falsepositives:
    - Legitimate activities
level: medium
medium
Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
status test author frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) id 904e8e61-8edf-4350-b59c-b905fc8e810c
view Sigma YAML 
title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
    Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'get-process | \?'
            - 'get-process | where'
            - 'gps | \?'
            - 'gps | where'
    selection_field:
        ScriptBlockText|contains:
            - 'Company -like'
            - 'Description -like'
            - 'Name -like'
            - 'Path -like'
            - 'Product -like'
    selection_keywords:
        ScriptBlockText|contains:
            # Note: These strings are using wildcard assuming the search is using the "-like" operator.
            #       You can add specific variant with the actual process names to increase coverage
            - '\*avira\*'
            - '\*carbonblack\*'
            - '\*cylance\*'
            - '\*defender\*'
            - '\*kaspersky\*'
            - '\*malware\*'
            - '\*sentinel\*'
            - '\*symantec\*'
            - '\*virus\*'
    condition: all of selection_*
falsepositives:
    - False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
    - As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium
medium
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id 4fe074b4-b833-4081-8f24-7dcfeca72b42
view Sigma YAML 
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
    This detection focuses on the keywords that the attacker might use as a filter.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            # Note: Add additional keywords to increase and enhance coverage
            # Note:
            #   We use the double quote variation because in cases of where the command is executed through cmd for example:
            #       cmd /c "tasklist | findstr virus"
            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
            - ' avira'
            - ' avira"'
            - ' cb'
            - ' cb"'
            - ' cylance'
            - ' cylance"'
            - ' defender'
            - ' defender"'
            - ' kaspersky'
            - ' kaspersky"'
            - ' kes'
            - ' kes"'
            - ' mc'
            - ' mc"'
            - ' sec'
            - ' sec"'
            - ' sentinel'
            - ' sentinel"'
            - ' symantec'
            - ' symantec"'
            - ' virus'
            - ' virus"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
    - type: atomic-red-team
      name: Security Software Discovery
      technique: T1518.001
      atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2
medium
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id 3603f18a-ec15-43a1-9af2-d196c8a7fec6
view Sigma YAML 
title: System Integrity Protection (SIP) Disabled
id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
status: test
description: |
    Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
references:
    - https://ss64.com/osx/csrutil.html
    - https://objective-see.org/blog/blog_0x6D.html
    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'disable'
    condition: selection
falsepositives:
    - Unknown
level: medium
low
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
status test author Daniil Yugoslavskiy, oscd.community id c9d8b7fd-78e4-44fe-88f6-599135d46d60
view Sigma YAML 
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            # You can add more grep variations such as fgrep, rgrep...etc
            - '/grep'
            - '/egrep'
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'cbagentd'       # carbon black
            - 'falcond'        # crowdstrike falcon
    condition: selection
falsepositives:
    - Legitimate activities
level: low
low
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id 53821412-17b0-4147-ade0-14faae67d54b
view Sigma YAML 
title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
    Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
    - https://ss64.com/osx/csrutil.html
    - https://objective-see.org/blog/blog_0x6D.html
    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'status'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin