Sigma Rules
1,473 rules found
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
Cisco File Deletion
See what files are being deleted from flash file systems
Cisco Show Commands Input
See what commands are being input into the device by other people, full credentials can be in the history
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Suspicious DNS Z Flag Bit Set
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Remote Task Creation via ATSVC Named Pipe - Zeek
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Suspicious Access to Sensitive File Extensions - Zeek
Detects known sensitive file extensions via Zeek
Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Potential Hello-World Scraper Botnet Activity
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Rclone Activity via Proxy
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Backup Catalog Deleted
Detects backup catalog deletions
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
MSI Installation From Web
Detects installation of a remote msi file from web.