Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

3,707 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Kubernetesapplicationaudit
T1609 · Container Administration CommandTA0002 · Execution
Leo TsaousisTue Mar 26application
Detectionlowtest

Kubernetes Unauthorized or Unauthenticated Access

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Kubernetesaudit
TA0004 · Privilege Escalation
kelnageFri Apr 12application
Detectionhightest

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

nodejsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0001 · Initial AccessTA0010 · ExfiltrationTA0008 · Lateral MovementT1190 · Exploit Public-Facing Application+1
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - GIT Clone Request

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

opencanaryapplication
TA0009 · CollectionT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTPPROXY Login Attempt

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

opencanaryapplication
TA0001 · Initial AccessTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP GET Request

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via SQLAuth

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - NTP Monlist Request

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

opencanaryapplication
TA0040 · ImpactT1498 · Network Denial of Service
Security Onion SolutionsFri Mar 08application
Detectionhighexperimental

OpenCanary - NMAP FIN Scan

Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP NULL Scan

Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP OS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP XMAS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - Host Port Scan (SYN Scan)

Detects instances where an OpenCanary node has been targeted by a SYN port scan.

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - RDP New Connection Attempt

Detects instances where an RDP service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0001 · Initial AccessTA0008 · Lateral MovementT1133 · External Remote ServicesT1021.001 · Remote Desktop Protocol
Marco PedrinazziTue Jan 06application
Detectionhightest

OpenCanary - REDIS Action Command Attempt

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SIP Request

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

opencanaryapplication
TA0009 · CollectionT1123 · Audio Capture
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

opencanaryapplication
TA0008 · Lateral MovementTA0009 · CollectionT1021 · Remote ServicesT1005 · Data from Local System
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

opencanaryapplication
TA0007 · DiscoveryTA0008 · Lateral MovementT1016 · System Network Configuration DiscoveryT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - Telnet Login Attempt

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - TFTP Request

Detects instances where a TFTP service on an OpenCanary node has had a request.

opencanaryapplication
TA0010 · ExfiltrationT1041 · Exfiltration Over C2 Channel
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0008 · Lateral MovementT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionmediumstable

Python SQL Exceptions

Generic rule for SQL exceptions in Python according to PEP 249

pythonapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Thomas PatzkeSat Aug 12application
Detectionhightest

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

rpc_firewallapplication
T1033 · System Owner/User DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

rpc_firewallapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0008 · Lateral Movement+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via ITaskSchedulerService

Detects remote RPC calls to read information about scheduled tasks

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1021.003 · Distributed Component Object ModelT1047 · Windows Management Instrumentation
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

rpc_firewallapplication
TA0005 · Defense EvasionTA0008 · Lateral MovementT1112 · Modify RegistryTA0003 · Persistence
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Recon

Detects remote RPC calls to collect information

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1569.002 · Service Execution
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
T1087 · Account DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
TA0007 · DiscoveryT1033 · System Owner/User Discovery
Sagie Dulce+1Sat Jan 01application
Detectionmediumstable

Ruby on Rails Framework Exceptions

Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts

ruby_on_railsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Thomas PatzkeSun Aug 06application
Detectionmediumstable

Spring Framework Exceptions

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

springapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Thomas PatzkeSun Aug 06application
Detectionhightest

Potential SpEL Injection In Spring Framework

Detects potential SpEL Injection exploitation, which may lead to RCE.

springapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
12378