Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
critical
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
status test author Florian Roth (Nextron Systems) id c484e533-ee16-4a93-b6ac-f0ea4868b2f1
view Sigma YAML 
title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical
high
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
status test author Nasreddine Bencherchali (Nextron Systems) id 07aa184a-870d-413d-893a-157f317f6f58
view Sigma YAML 
title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 07aa184a-870d-413d-893a-157f317f6f58
related:
    - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
      type: similar
    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
      type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.discovery
    - attack.execution
    - attack.t1615
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'gatherNetworkInfo.vbs'
    filter:
        Image|endswith:
            - '\cscript.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
medium
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
status test author frack113 id e56d3073-83ff-4021-90fe-c658e0709e72
view Sigma YAML 
title: Gpresult Display Group Policy Information
id: e56d3073-83ff-4021-90fe-c658e0709e72
status: test
description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: frack113
date: 2022-05-01
tags:
    - attack.discovery
    - attack.t1615
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\gpresult.exe'
        CommandLine|contains:
            - '/z'
            - '/v'
    condition: selection
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: Display group policy information via gpresult
      technique: T1615
      atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml
medium
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
status test author blueteamer8699 id 575dce0c-8139-4e30-9295-1ee75969f7fe
view Sigma YAML 
title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 575dce0c-8139-4e30-9295-1ee75969f7fe
related:
    - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
      type: similar
    - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
      type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: blueteamer8699
date: 2022-01-03
modified: 2023-02-08
tags:
    - attack.discovery
    - attack.execution
    - attack.t1615
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\cscript.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'cscript.exe'
              - 'wscript.exe'
    selection_cli:
        CommandLine|contains: 'gatherNetworkInfo.vbs'
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: medium
low
Suspicious GPO Discovery With Get-GPO
Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
status test author frack113 id eb2fd349-ec67-4caa-9143-d79c7fb34441
view Sigma YAML 
title: Suspicious GPO Discovery With Get-GPO
id: eb2fd349-ec67-4caa-9143-d79c7fb34441
status: test
description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
author: frack113
date: 2022-06-04
tags:
    - attack.discovery
    - attack.t1615
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-GPO
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin