Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
high
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 7bd3902d-8b8b-4dd4-838a-c6862d40150d
view Sigma YAML 
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2023-01-16
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'servicebus.windows.net'
        Image|contains: 'HybridConnectionManager'
    condition: selection
falsepositives:
    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
level: high
high
HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
view Sigma YAML 
title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
status: test
description: Rule to detect the Hybrid Connection Manager service installation.
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName: HybridConnectionManager
        ServiceFileName|contains: HybridConnectionManager
    condition: selection
falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high
high
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id b55d23e5-6821-44ff-8a6e-67218891e49f
view Sigma YAML 
title: HybridConnectionManager Service Running
id: b55d23e5-6821-44ff-8a6e-67218891e49f
status: test
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2024-08-05
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date
detection:
    selection:
        EventID:
            - 40300
            - 40301
            - 40302
    keywords:
        - 'HybridConnection'
        - 'sb://'
        - 'servicebus.windows.net'
        - 'HybridConnectionManage'
    condition: selection and keywords
falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high
low
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
status experimental author Luc Génaux id 3a716279-c18c-4488-83be-f9ececbfb9fc
view Sigma YAML 
title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
    - https://man7.org/linux/man-pages/man8/setcap.8.html
    - https://dfir.ch/posts/linux_capabilities/
    - https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548
    - attack.t1554
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/setcap'
        CommandLine|contains: 'cap_setgid'
    condition: selection
falsepositives:
    - Unknown
level: low
low
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
status experimental author Luc Génaux id ed447910-bc30-4575-a598-3a2e49516a7a
view Sigma YAML 
title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
    Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
    This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
    - https://man7.org/linux/man-pages/man8/setcap.8.html
    - https://dfir.ch/posts/linux_capabilities/
    - https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548
    - attack.t1554
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/setcap'
        CommandLine|contains: 'cap_setuid'
    condition: selection
falsepositives:
    - Unknown
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin