Home/Sigma rules
Sigma

Sigma detection rules

3 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

3 shown of 3
high
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
status test author Janantha Marasinghe id 35b781cc-1a08-4a5a-80af-42fd7c315c6b
view Sigma YAML 
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
    - https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
    - attack.discovery
    - attack.t1087.004
    - attack.t1526
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        userAgent|contains: 'azurehound'
        ResultType: 0
    condition: selection
falsepositives:
    - Unknown
level: high
high
PUA - Seatbelt Execution
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
status test author Nasreddine Bencherchali (Nextron Systems) id 38646daa-e78f-4ace-9de0-55547b2d30da
view Sigma YAML 
title: PUA - Seatbelt Execution
id: 38646daa-e78f-4ace-9de0-55547b2d30da
status: test
description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
references:
    - https://github.com/GhostPack/Seatbelt
    - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1526
    - attack.t1087
    - attack.t1083
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Seatbelt.exe'
        - OriginalFileName: 'Seatbelt.exe'
        - Description: 'Seatbelt'
        - CommandLine|contains:
              # This just a list of the commands that will produce the least amount of FP in "theory"
              # Comment out/in as needed in your environment
              # To get the full list of commands see reference section
              - ' DpapiMasterKeys'
              - ' InterestingProcesses'
              - ' InterestingFiles'
              - ' CertificateThumbprints'
              - ' ChromiumBookmarks'
              - ' ChromiumHistory'
              - ' ChromiumPresence'
              - ' CloudCredentials'
              - ' CredEnum'
              - ' CredGuard'
              - ' FirefoxHistory'
              - ' ProcessCreationEvents'
              # - ' RDPSessions'
              # - ' PowerShellHistory'
    selection_group_list:
        CommandLine|contains:
            - ' -group=misc'
            - ' -group=remote'
            - ' -group=chromium'
            - ' -group=slack'
            - ' -group=system'
            - ' -group=user'
            - ' -group=all'
    selection_group_output:
        CommandLine|contains: ' -outputfile='
    condition: selection_img or all of selection_group_*
falsepositives:
    - Unlikely
level: high
low
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
status test author Muhammad Faisal (@faisalusuf) id f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
view Sigma YAML 
title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
    it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
    - attack.impact
    - attack.discovery
    - attack.collection
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
    - attack.stealth
    - attack.t1526
    - attack.t1213.003
    - attack.t1078.004
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_self_hosted_runner'
            - 'org.runner_group_created'
            - 'org.runner_group_removed'
            - 'org.runner_group_runner_removed'
            - 'org.runner_group_runners_added'
            - 'org.runner_group_runners_updated'
            - 'org.runner_group_updated'
            - 'repo.register_self_hosted_runner'
            - 'repo.remove_self_hosted_runner'
    condition: selection
falsepositives:
    - Allowed self-hosted runners changes in the environment.
    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin