Sigma Rules
3,332 rules found
Linux HackTool Execution
Detects known hacktool execution based on image name.
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Suspicious Java Children Processes
Detects java process spawning suspicious children
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Access of Sudoers File Content
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
System Network Discovery - Linux
Detects enumeration of local network configuration
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
Vim GTFOBin Abuse - Linux
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
Disable Security Tools
Detects disabling security tools
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.