Sigma detection rules

Home/Sigma rules

Sigma

5 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

5 shown of 5

high

Potentially Suspicious Malware Callback Communication

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

status test author Florian Roth (Nextron Systems) id 4b89abaa-99fe-4232-afdd-8f9aa4d20382

view Sigma YAML

title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
      type: similar
status: test
description: |
    Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 100
            - 198
            - 200
            - 243
            - 473
            - 666
            - 700
            - 743
            - 777
            - 1443
            - 1515
            - 1777
            - 1817
            - 1904
            - 1960
            - 2443
            - 2448
            - 3360
            - 3675
            - 3939
            - 4040
            - 4433
            - 4438
            - 4443
            - 4444
            - 4455
            - 5445
            - 5552
            - 5649
            - 6625
            - 7210
            - 7777
            - 8143
            - 8843
            - 9631
            - 9943
            - 10101
            - 12102
            - 12103
            - 12322
            - 13145
            - 13394
            - 13504
            - 13505
            - 13506
            - 13507
            - 14102
            - 14103
            - 14154
            - 49180
            - 65520
            - 65535
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

high

Potentially Suspicious Malware Callback Communication - Linux

Detects programs that connect to known malware callback ports based on threat intelligence reports.

status test author hasselj id dbfc7c98-04ab-4ab7-aa94-c74d22aa7376

view Sigma YAML

title: Potentially Suspicious Malware Callback Communication - Linux
id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
related:
    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
      type: derived
status: test
description: |
    Detects programs that connect to known malware callback ports based on threat intelligence reports.
references:
    - https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
    - https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
    - https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
    - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
author: hasselj
date: 2024-05-10
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: linux
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 888
            - 999
            - 2200
            - 2222
            - 4000
            - 4444
            - 6789
            - 8531
            - 50501
            - 51820
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'         # IPv6 loopback
            - 'fe80::/10'       # IPv6 link-local addresses
            - 'fc00::/7'        # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

medium

Communication To Uncommon Destination Ports

Detects programs that connect to uncommon destination ports

status test author Florian Roth (Nextron Systems) id 6d8c3d20-a5e1-494f-8412-4571d716cf5c

view Sigma YAML

title: Communication To Uncommon Destination Ports
id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
related:
    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
      type: similar
status: test
description: Detects programs that connect to uncommon destination ports
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 8080
            - 8888
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

medium

Suspicious DNS Z Flag Bit Set

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

status test author @neu5ron, SOC Prime Team, Corelight id ede05abc-2c9e-4624-9944-9ff17fdc0bf5

view Sigma YAML

title: Suspicious DNS Z Flag Bit Set
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
status: test
description: |
    The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
    Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
    Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
    Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
    This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
references:
    - https://twitter.com/neu5ron/status/1346245602502443009
    - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
    - https://tools.ietf.org/html/rfc2929#section-2.1
    - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021-05-04
modified: 2022-11-29
tags:
    - attack.t1095
    - attack.t1571
    - attack.command-and-control
logsource:
    product: zeek
    service: dns
detection:
    z_flag_unset:
        Z: 0
    most_probable_valid_domain:
        query|contains: '.'
    exclude_tlds:
        query|endswith:
            - '.arpa'
            - '.local'
            - '.ultradns.net'
            - '.twtrdns.net'
            - '.azuredns-prd.info'
            - '.azure-dns.com'
            - '.azuredns-ff.info'
            - '.azuredns-ff.org'
            - '.azuregov-dns.org'
    exclude_query_types:
        qtype_name:
            - 'ns'
            - 'mx'
    exclude_responses:
        answers|endswith: '\\x00'
    exclude_netbios:
        id.resp_p:
            - 137
            - 138
            - 139
    condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
    - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
    - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium

medium

Testing Usage of Uncommonly Used Port

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

status test author frack113 id adf876b3-f1f8-4aa9-a4e4-a64106feec06

view Sigma YAML

title: Testing Usage of Uncommonly Used Port
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
status: test
description: |
    Adversaries may communicate using a protocol and port paring that are typically not associated.
    For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
    - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
author: frack113
date: 2022-01-23
tags:
    - attack.command-and-control
    - attack.t1571
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Test-NetConnection
            - '-ComputerName '
            - '-port '
    filter:
        ScriptBlockText|contains:
            - ' 443 '
            - ' 80 '
    condition: selection and not filter
falsepositives:
    - Legitimate administrative script
level: medium

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin