Sigma Rules
274 rules found for "discovery"
Bitbucket User Details Export Attempt Detected
Detects user data export activity.
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
OpenCanary - NMAP FIN Scan
Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
OpenCanary - NMAP NULL Scan
Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
OpenCanary - NMAP OS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
OpenCanary - NMAP XMAS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
OpenCanary - Host Port Scan (SYN Scan)
Detects instances where an OpenCanary node has been targeted by a SYN port scan.
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
Possible DCSync Attack
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
Remote Registry Recon
Detects remote RPC calls to collect information
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Potential Bucket Enumeration on AWS
Looks for potential enumeration of AWS buckets via ListBuckets.
AWS STS GetCallerIdentity Enumeration Via TruffleHog
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Google Cloud Storage Buckets Enumeration
Detects when storage bucket is enumerated in Google Cloud.
PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Password Policy Discovery - Linux
Detects password policy discovery commands
System Information Discovery - Auditd
Detects System Information Discovery commands
System and Hardware Information Discovery
Detects system information discovery commands
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware