Sigma detection rules

Home/Sigma rules

Sigma

4 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

4 shown of 4

medium

Activity from Anonymous IP Addresses

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

status test author Austin Songer @austinsonger id d8b0a4fe-07a8-41be-bd39-b14afa025d95

view Sigma YAML

title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
status: test
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Activity from anonymous IP addresses'
        status: success
    condition: selection
falsepositives:
    - User using a VPN or Proxy
level: medium

medium

Activity from Infrequent Country

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.

status test author Austin Songer @austinsonger id 0f2468a2-5055-4212-a368-7321198ee706

view Sigma YAML

title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
status: test
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Activity from infrequent country'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Activity from Suspicious IP Addresses

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

status test author Austin Songer @austinsonger id a3501e8e-af9e-43c6-8cd6-9360bdaae498

view Sigma YAML

title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
status: test
description: |
  Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
  These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    service: threat_detection
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Activity from suspicious IP addresses'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

low

Suspicious SSL Connection

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

status test author frack113 id 195626f3-5f1b-4403-93b7-e6cfd4d6a078

view Sigma YAML

title: Suspicious SSL Connection
id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
status: test
description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
author: frack113
date: 2022-01-23
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - System.Net.Security.SslStream
            - Net.Security.RemoteCertificateValidationCallback
            - '.AuthenticateAsClient'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: low

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin