Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

64 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumstable

Django Framework Exceptions

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

djangoapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Thomas PatzkeSat Aug 05application
Detectionhightest

Potential JNDI Injection Exploitation In JVM Based Application

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential Local File Read Vulnerability In JVM Based Application

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2017-5638cve.2022-26134
Moti HarmatsSat Feb 11application
Detectionhightest

Process Execution Error In JVM Based Application

Detects process execution related exceptions in JVM based apps, often relates to RCE

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential XXE Exploitation Attempt In JVM Based Application

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionlowtest

Deployment Deleted From Kubernetes Cluster

Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.

Kubernetesapplicationaudit
T1498 · Network Denial of ServiceTA0040 · Impact
Leo TsaousisTue Mar 26application
Detectionmediumtest

Kubernetes Events Deleted

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Kubernetesapplicationaudit
TA0005 · Defense EvasionT1070 · Indicator Removal
Leo TsaousisTue Mar 26application
Detectionmediumtest

Potential Remote Command Execution In Pod Container

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Kubernetesapplicationaudit
T1609 · Container Administration CommandTA0002 · Execution
Leo TsaousisTue Mar 26application
Detectionlowtest

Container With A hostPath Mount Created

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Kubernetesapplicationaudit
T1611 · Escape to HostTA0004 · Privilege Escalation
Leo TsaousisTue Mar 26application
Detectionmediumtest

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Kubernetesapplicationaudit
TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Location
Leo TsaousisTue Mar 26application
Detectionlowtest

Privileged Container Deployed

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Kubernetesapplicationaudit
T1611 · Escape to HostTA0004 · Privilege Escalation
Leo TsaousisTue Mar 26application
Detectionlowtest

RBAC Permission Enumeration Attempt

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Kubernetesapplicationaudit
T1069.003 · Cloud GroupsT1087.004 · Cloud AccountTA0007 · Discovery
Leo TsaousisTue Mar 26application
Detectionlowtest

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

Kubernetesapplicationaudit
T1552.007 · Container APITA0006 · Credential Access
Leo TsaousisTue Mar 26application
Detectionlowtest

New Kubernetes Service Account Created

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Kubernetesapplicationaudit
TA0003 · PersistenceT1136 · Create Account
Leo TsaousisTue Mar 26application
Detectionmediumtest

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Kubernetesapplicationaudit
T1609 · Container Administration CommandTA0002 · Execution
Leo TsaousisTue Mar 26application
Detectionhightest

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

nodejsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0001 · Initial AccessTA0010 · ExfiltrationTA0008 · Lateral MovementT1190 · Exploit Public-Facing Application+1
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - GIT Clone Request

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

opencanaryapplication
TA0009 · CollectionT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTPPROXY Login Attempt

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

opencanaryapplication
TA0001 · Initial AccessTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP GET Request

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via SQLAuth

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - NTP Monlist Request

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

opencanaryapplication
TA0040 · ImpactT1498 · Network Denial of Service
Security Onion SolutionsFri Mar 08application
Detectionhighexperimental

OpenCanary - NMAP FIN Scan

Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP NULL Scan

Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP OS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP XMAS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - Host Port Scan (SYN Scan)

Detects instances where an OpenCanary node has been targeted by a SYN port scan.

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - RDP New Connection Attempt

Detects instances where an RDP service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0001 · Initial AccessTA0008 · Lateral MovementT1133 · External Remote ServicesT1021.001 · Remote Desktop Protocol
Marco PedrinazziTue Jan 06application
Detectionhightest

OpenCanary - REDIS Action Command Attempt

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SIP Request

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

opencanaryapplication
TA0009 · CollectionT1123 · Audio Capture
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

opencanaryapplication
TA0008 · Lateral MovementTA0009 · CollectionT1021 · Remote ServicesT1005 · Data from Local System
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

opencanaryapplication
TA0007 · DiscoveryTA0008 · Lateral MovementT1016 · System Network Configuration DiscoveryT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - Telnet Login Attempt

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - TFTP Request

Detects instances where a TFTP service on an OpenCanary node has had a request.

opencanaryapplication
TA0010 · ExfiltrationT1041 · Exfiltration Over C2 Channel
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0008 · Lateral MovementT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionmediumstable

Python SQL Exceptions

Generic rule for SQL exceptions in Python according to PEP 249

pythonapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Thomas PatzkeSat Aug 12application
Detectionhightest

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

rpc_firewallapplication
T1033 · System Owner/User DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

rpc_firewallapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0008 · Lateral Movement+2
Sagie Dulce+1Sat Jan 01application
12