Sigma Rules
515 rules found for "Red Canary"
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
System Information Discovery
Detects system information discovery commands
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
System Network Discovery - Linux
Detects enumeration of local network configuration
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
Disable Security Tools
Detects disabling security tools
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
Local Groups Discovery - MacOs
Detects enumeration of local system groups
MacOS Network Service Scanning
Detects enumeration of local or remote network services.
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
OSACompile Run-Only Execution
Detects potential suspicious run-only executions compiled using OSACompile
Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Macos Remote System Discovery
Detects the enumeration of other remote systems.
Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
Suspicious History File Operations
Detects commandline operations on shell history files
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
System Network Discovery - macOS
Detects enumeration of local network configuration
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
System Network Connections Discovery - MacOs
Detects usage of system utilities to discover system network connections
System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.