Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1,701 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Bitbucket Full Data Export Triggered

Detects when full data export is attempted.

bitbucketaudit
TA0009 · CollectionT1213.003 · Code Repositories
Muhammad FaisalSun Feb 25application
Detectionhightest

Bitbucket Secret Scanning Exempt Repository Added

Detects when a repository is exempted from secret scanning feature.

bitbucketaudit
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Muhammad FaisalSun Feb 25application
Detectionhightest

Outdated Dependency Or Vulnerability Alert Disabled

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

githubaudit
TA0001 · Initial AccessT1195.001 · Compromise Software Dependencies and Development Tools
Muhammad FaisalFri Jan 27application
Detectionhightest

Github High Risk Configuration Disabled

Detects when a user disables a critical security feature for an organization.

githubaudit
TA0006 · Credential AccessTA0005 · Defense EvasionTA0003 · PersistenceT1556 · Modify Authentication Process
Muhammad FaisalSun Jan 29application
Detectionhightest

Github Push Protection Disabled

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

githubaudit
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Muhammad FaisalThu Mar 07application
Detectionhightest

Github Secret Scanning Feature Disabled

Detects if the secret scanning feature is disabled for an enterprise or repository.

githubaudit
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Muhammad FaisalThu Mar 07application
Detectionhightest

Potential JNDI Injection Exploitation In JVM Based Application

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential Local File Read Vulnerability In JVM Based Application

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2017-5638cve.2022-26134
Moti HarmatsSat Feb 11application
Detectionhightest

Process Execution Error In JVM Based Application

Detects process execution related exceptions in JVM based apps, often relates to RCE

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential XXE Exploitation Attempt In JVM Based Application

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

jvmapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

nodejsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0001 · Initial AccessTA0010 · ExfiltrationTA0008 · Lateral MovementT1190 · Exploit Public-Facing Application+1
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - GIT Clone Request

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

opencanaryapplication
TA0009 · CollectionT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTPPROXY Login Attempt

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

opencanaryapplication
TA0001 · Initial AccessTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP GET Request

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via SQLAuth

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - NTP Monlist Request

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

opencanaryapplication
TA0040 · ImpactT1498 · Network Denial of Service
Security Onion SolutionsFri Mar 08application
Detectionhighexperimental

OpenCanary - NMAP FIN Scan

Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP NULL Scan

Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP OS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP XMAS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - Host Port Scan (SYN Scan)

Detects instances where an OpenCanary node has been targeted by a SYN port scan.

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - RDP New Connection Attempt

Detects instances where an RDP service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0001 · Initial AccessTA0008 · Lateral MovementT1133 · External Remote ServicesT1021.001 · Remote Desktop Protocol
Marco PedrinazziTue Jan 06application
Detectionhightest

OpenCanary - REDIS Action Command Attempt

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SIP Request

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

opencanaryapplication
TA0009 · CollectionT1123 · Audio Capture
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

opencanaryapplication
TA0008 · Lateral MovementTA0009 · CollectionT1021 · Remote ServicesT1005 · Data from Local System
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

opencanaryapplication
TA0007 · DiscoveryTA0008 · Lateral MovementT1016 · System Network Configuration DiscoveryT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - Telnet Login Attempt

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - TFTP Request

Detects instances where a TFTP service on an OpenCanary node has had a request.

opencanaryapplication
TA0010 · ExfiltrationT1041 · Exfiltration Over C2 Channel
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0008 · Lateral MovementT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

rpc_firewallapplication
T1033 · System Owner/User DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

rpc_firewallapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0008 · Lateral Movement+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via ITaskSchedulerService

Detects remote RPC calls to read information about scheduled tasks

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1021.003 · Distributed Component Object ModelT1047 · Windows Management Instrumentation
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

rpc_firewallapplication
TA0005 · Defense EvasionTA0008 · Lateral MovementT1112 · Modify RegistryTA0003 · Persistence
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Recon

Detects remote RPC calls to collect information

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
1236