Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

24 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0001 · Initial AccessTA0010 · ExfiltrationTA0008 · Lateral MovementT1190 · Exploit Public-Facing Application+1
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - GIT Clone Request

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

opencanaryapplication
TA0009 · CollectionT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTPPROXY Login Attempt

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

opencanaryapplication
TA0001 · Initial AccessTA0005 · Defense EvasionTA0011 · Command and ControlT1090 · Proxy
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP GET Request

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

opencanaryapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via SQLAuth

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - NTP Monlist Request

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

opencanaryapplication
TA0040 · ImpactT1498 · Network Denial of Service
Security Onion SolutionsFri Mar 08application
Detectionhighexperimental

OpenCanary - NMAP FIN Scan

Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP NULL Scan

Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP OS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - NMAP XMAS Scan

Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - Host Port Scan (SYN Scan)

Detects instances where an OpenCanary node has been targeted by a SYN port scan.

opencanaryapplication
TA0007 · DiscoveryT1046 · Network Service Discovery
Marco PedrinazziTue Jan 06application
Detectionhighexperimental

OpenCanary - RDP New Connection Attempt

Detects instances where an RDP service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0001 · Initial AccessTA0008 · Lateral MovementT1133 · External Remote ServicesT1021.001 · Remote Desktop Protocol
Marco PedrinazziTue Jan 06application
Detectionhightest

OpenCanary - REDIS Action Command Attempt

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

opencanaryapplication
TA0006 · Credential AccessTA0009 · CollectionT1003 · OS Credential DumpingT1213 · Data from Information Repositories
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SIP Request

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

opencanaryapplication
TA0009 · CollectionT1123 · Audio Capture
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

opencanaryapplication
TA0008 · Lateral MovementTA0009 · CollectionT1021 · Remote ServicesT1005 · Data from Local System
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

opencanaryapplication
TA0007 · DiscoveryTA0008 · Lateral MovementT1016 · System Network Configuration DiscoveryT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - Telnet Login Attempt

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - TFTP Request

Detects instances where a TFTP service on an OpenCanary node has had a request.

opencanaryapplication
TA0010 · ExfiltrationT1041 · Exfiltration Over C2 Channel
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0008 · Lateral MovementT1021 · Remote Services
Security Onion SolutionsFri Mar 08application