Sigma Rules
146 rules found for "attack.T1190"
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
OpenCanary - HTTP GET Request
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
Suspicious SQL Error Messages
Detects SQL error messages that indicate probing for an injection attack
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Java Payload Strings
Detects possible Java payloads in web access logs
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
Path Traversal Exploitation Attempts
Detects path traversal exploitation attempts
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
CVE-2010-5278 Exploitation Attempt
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287