Sigma Rules
3,116 rules found for "sigma"
System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
Cisco Collect Data
Collect pertinent data from the configuration files
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Cisco Disabling Logging
Turn off logging locally or remote
Cisco Discovery
Find information about network devices that is not stored in config files
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
Cisco File Deletion
See what files are being deleted from flash file systems
Cisco Show Commands Input
See what commands are being input into the device by other people, full credentials can be in the history
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Wannacry Killswitch Domain
Detects wannacry killswitch domain dns queries
Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
New Kind of Network (NKN) Detection
NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
Suspicious DNS Z Flag Bit Set
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'