Sigma Rules
143 rules found for "collection"
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.
Bitbucket User Details Export Attempt Detected
Detects user data export activity.
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
GitHub Repository Pages Site Changed to Public
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
OpenCanary - GIT Clone Request
Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
OpenCanary - MSSQL Login Attempt Via SQLAuth
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
OpenCanary - MySQL Login Attempt
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
OpenCanary - REDIS Action Command Attempt
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
OpenCanary - SIP Request
Detects instances where an SIP service on an OpenCanary node has had a SIP request.
OpenCanary - SMB File Open Request
Detects instances where an SMB service on an OpenCanary node has had a file open request.
AWS EC2 VM Export Failure
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
Azure Firewall Rule Collection Modified or Deleted
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Suspicious Inbox Forwarding Identity Protection
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Script Interpreter Spawning Credential Scanner - Linux
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
Cisco Collect Data
Collect pertinent data from the configuration files
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Suspicious Access to Sensitive File Extensions - Zeek
Detects known sensitive file extensions via Zeek
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
Suspicious Network Communication With IPFS
Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
Backup Catalog Deleted
Detects backup catalog deletions
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like