Sigma Rules
334 rules found
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Steganography Hide Files with Steghide
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
Steganography Unzip Hidden Information From Picture File
Detects extracting of zip file from image file
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Password Policy Discovery - Linux
Detects password policy discovery commands
System Information Discovery - Auditd
Detects System Information Discovery commands
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
Remote File Copy
Detects the use of tools that copy files from or to remote systems
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
Bash Interactive Shell
Detects execution of the bash shell with the interactive flag "-i".
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
Connection Proxy
Detects setting proxy configuration
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.