Sigma Rules
104 rules found
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS EC2 Disable EBS Encryption
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
Password Policy Discovery - Linux
Detects password policy discovery commands
System and Hardware Information Discovery
Detects system information discovery commands
Relevant ClamAV Message
Detects relevant ClamAV messages
Remote File Copy
Detects the use of tools that copy files from or to remote systems
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
System Information Discovery
Detects system information discovery commands
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
A Member Was Removed From a Security-Enabled Global Group
Detects activity when a member is removed from a security-enabled global group
Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Locked Workstation
Detects locked workstation session events that occur automatically after a standard period of inactivity.
Windows Update Error
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Windows Defender Threat Detection Service Disabled
Detects when the "Windows Defender Threat Protection" service is disabled.
Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender AMSI Trigger Detected
Detects triggering of AMSI by Windows Defender.
Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines
Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature