Sigma Rules
3,707 rules found
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Windows Webshell Strings
Detects common commands used in Windows webshells
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Backup Catalog Deleted
Detects backup catalog deletions
Restricted Software Access By SRP
Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Application Uninstalled
An application has been removed. Check if it is critical.
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
MSI Installation From Web
Detects installation of a remote msi file from web.
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
MSSQL Server Failed Logon From External Network
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
MSSQL SPProcoption Set
Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
MSSQL XPCmdshell Suspicious Execution
Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
MSSQL XPCmdshell Option Change
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
Remote Access Tool - ScreenConnect Command Execution
Detects command execution via ScreenConnect RMM
Remote Access Tool - ScreenConnect File Transfer
Detects file being transferred via ScreenConnect RMM
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Suspicious Digital Signature Of AppX Package
Detects execution of AppX packages with known suspicious or malicious signature
New BITS Job Created Via Bitsadmin
Detects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShell
Detects the creation of a new bits job by PowerShell
BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.