Sigma Rules
1,473 rules found
Potential CVE-2021-27905 Exploitation Attempt
Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
Potential CVE-2021-42278 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
Zimbra Collaboration Suite Email Server Unauthenticated RCE
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential CVE-2023-36884 Exploitation - File Downloads
Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Potential CVE-2024-35250 Exploitation Activity
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Forest Blizzard APT - JavaScript Constrained File Creation
Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs. CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.