Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions packs/linux/advanced/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,19 @@ attack_coverage:
- T1059.004
- T1036
- T1105
- T1071
- T1070.003
- T1070.002
- T1548.001
- T1547
- T1505.003
- T1027
- T1562.001
- T1219
telemetry_requirements:
- file_event
- process_creation
- network_connection
- file_scan
test_status: none
sources:
Expand All @@ -37,3 +47,13 @@ rules:
- 5f607182-93a4-45b6-9fc7-4a5b6c7d8e95 # Shell Profile / RC File Persistence (sigma)
- 60718293-a4b5-46c7-8fd8-5b6c7d8e9fa6 # Execution from World-Writable / Temporary Directory (sigma)
- 94fb53c7-debd-4287-99e4-6eb0ba923731 # Linux Download and Execute Piped to Shell (sigma)
- d0c6216e-881c-408f-8e72-0a466522306b # Outbound Network Connection from Shell Binary (sigma)
- 6df6fcdc-e5e5-413b-aabe-ec3d51d6bfeb # Shell History File Tampering (sigma)
- 6b124b53-1d4b-48a2-86b7-4df9bf43de61 # System Log Clearing (journal and /var/log) (sigma)
- 7a34ffc3-adbc-4d9d-94a4-4bd33ac05cc3 # SUID/SGID Bit Added via chmod (sigma)
- 1bb5e9e4-f17e-476e-8e77-aaa1858f12f7 # udev Rules Persistence (sigma)
- e96a9b85-26f6-4251-a26b-361d4b6761ef # Webshell Written by Web-Server Process (sigma)
- d24c4943-3e22-481f-99ee-ca631b8a77af # Base64-Decode Piped to Shell (sigma)
- 0cb59840-b420-4332-b7d1-2c3d4343901f # Security Service Stop (auditd / AppArmor / SELinux / EDR) (sigma)
yara:
- yara-lnx-sliver-implant # Sliver C2 implant artifacts in Linux ELF (yara)
8 changes: 8 additions & 0 deletions packs/linux/essential/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ attack_coverage:
- T1505.003
- T1562.001
- T1496
- T1071
- T1547.006
- T1014
- T1136.001
telemetry_requirements:
- process_creation
- file_event
Expand All @@ -36,7 +40,11 @@ rules:
- a3c5c821-004a-4e52-8684-0f7f9ea0404c # Linux Reverse Shell via /dev/tcp (sigma)
- 8fd4d1d9-38cf-4704-8009-00e41a009c98 # Linux Web Server Spawning Interactive Shell (sigma)
- 9ac8732e-1818-4cda-89ac-01ca08a7b836 # SSH Daemon Configuration Tampering (sigma)
- 1adaaaca-bfcf-46fe-9bd1-4b475d7bc827 # Netcat or Socat Reverse Shell Execution (sigma)
- 3f32d825-006a-45e9-b5a9-6e7edeeff13c # Kernel Module Load from Suspicious Path (sigma)
- 66fd4673-d86b-41d1-ba33-60d7c66dc962 # Backdoor Account Creation (Duplicate UID 0) (sigma)
yara:
- yara-lnx-xmrig-coinminer # XMRig / coinminer strings in Linux ELF binaries (yara)
- yara-lnx-msfvenom-stager # Metasploit / Mettle stager markers in ELF binaries (yara)
ioc:
- ioc-eicar-test # EICAR safe end-to-end IOC test set (ioc) # EICAR safe end-to-end IOC test set (ioc) # EICAR safe end-to-end IOC test set (ioc)
5 changes: 5 additions & 0 deletions packs/macos/advanced/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ attack_coverage:
- T1036
- T1136.001
- T1098
- T1098.004
- T1070.003
telemetry_requirements:
- process_creation
- file_event
Expand All @@ -38,3 +40,6 @@ rules:
- 3e506273-8f91-42a4-8eb4-5f6071823405 # Shell Download-and-Execute Pipe Cradle (sigma)
- 2f617384-9012-43b5-9fc5-60718293a416 # Local Admin Account Created via Directory Services (sigma)
- 1a728495-a123-44c6-8ad6-718293a4b527 # Execution from World-Writable or Temporary Directory (sigma)
- c92540cf-466d-4959-ab25-1c456bedf9d5 # SSH authorized_keys Created or Replaced (macOS) (sigma)
- 578195d3-de1a-4c46-84c8-b246a060474c # launchctl Load from User-Writable Path (sigma)
- ffd3b3b3-9fd4-4fd2-9988-fe837e062181 # Shell History File Tampering (macOS) (sigma)
5 changes: 5 additions & 0 deletions packs/macos/essential/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ attack_coverage:
- T1562.001
- T1105
- T1496
- T1005
- T1548
- T1555.003
telemetry_requirements:
- process_creation
- file_scan
Expand All @@ -37,6 +40,8 @@ rules:
- 6b2d3f40-5c6e-4f71-9b81-2c3d4e5f6012 # osascript Credential Prompt or Suspicious Admin Shell (sigma)
- 5c3e4051-6d7f-4082-8c92-3d4e5f601203 # Gatekeeper or Quarantine Protection Disabled (sigma)
- be06a6b0-fa9f-4df4-9d4a-9f8794037508 # macOS Reverse Shell via /dev/tcp (sigma)
- 829cee70-a60f-4e8a-8b2f-38e1fff83e61 # TCC Database Access (sigma)
- db01bf97-33ca-4ce4-8ee7-7bbd4b4844f8 # Browser Credential Store Access (sigma)
yara:
- yara-macos-coinminer-strings # Cryptominer Mach-O strings (yara)
ioc:
Expand Down
23 changes: 23 additions & 0 deletions packs/windows/advanced/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,24 @@ attack_coverage:
- T1543.003
- T1053.005
- T1047
- T1547.004
- T1562.001
- T1059.001
- T1090.001
- T1197
- T1071
- T1218
- T1219
telemetry_requirements:
- process_creation
- registry_event
- task_creation
- ps_script
- service_creation
- image_load
- network_connection
- file_event
- file_scan
test_status: manual
sources:
manual:
Expand All @@ -43,3 +55,14 @@ rules:
- d4e5f6a7-0123-4345-9d6e-7f8a9b012a13 # Suspicious Service Binary Path
- 4a596825-4674-4db3-b360-842435edf11a # Scheduled Task Creation via Schtasks
- 2a3c3182-80b8-42d4-bd39-83c55582ef70 # WMI Process Execution via WMIC
- 52b94494-756b-40d7-af01-8d0c7d54a6cc # Winlogon Helper DLL or Shell Modification (sigma)
- 43c59081-d5ec-4153-9e26-04e66e07461a # Security Service Stop or Disable via sc or net (sigma)
- 31ddbaff-1a32-4eb6-b7ce-647b59aeb901 # AMSI Bypass Pattern in PowerShell ScriptBlock (sigma)
- 86c19f1a-add5-4553-9c24-f76e7fe3da9d # Unmanaged PowerShell via Automation DLL in Foreign Host (sigma)
- 6c46cc68-2e66-4834-b058-0a2cfd115409 # Netsh Port-Proxy Tunnel Configuration (sigma)
- d97177dd-c74f-465e-96c1-194cc1dd681d # BITS Job Download via bitsadmin (sigma)
- 59bbd501-1c61-45c9-940d-9465cabd36c4 # File Dropped in Startup Folder (sigma)
- 717396f6-aff0-49b0-b8f3-53568e276d5c # Outbound Connection from Script or LOLBin Host (sigma)
yara:
- yara-win-sliver-implant # Sliver C2 implant artifacts in Windows PE (yara)
- yara-win-cobaltstrike-beacon # Cobalt Strike beacon artifacts in Windows PE (yara)
13 changes: 13 additions & 0 deletions packs/windows/essential/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,16 @@ attack_coverage:
- T1548.002
- T1053.005
- T1105
- T1546.003
- T1070
- T1546.008
- T1546.012
- T1496
telemetry_requirements:
- process_creation
- registry_event
- task_creation
- wmi_event
- file_scan
test_status: mixed
sources:
Expand All @@ -52,7 +58,14 @@ rules:
- a3c7e9b4-2f81-4d56-8c0a-6b2d1f4e9c22 # Active Directory Database (NTDS.dit) Extraction (sigma)
- b4d8f0c5-3a92-4e67-9d1b-7c3e2f5a0d23 # WDigest Cleartext Credential Caching Enabled (sigma)
- 3a1cdc64-a2a1-444b-a04b-32a3f1d09a99 # Scheduled Task Created With Suspicious Action (sigma)
- d6adbfee-548b-4def-9e49-8e6940251957 # WMI Event Subscription Persistence (sigma)
- e86de5fe-3908-4a95-b4e8-930a93bf4555 # Boot Recovery Tampering via bcdedit or wbadmin (sigma)
- 596b49d3-561e-49d7-9538-f3115c1c8cfd # USN Journal Deletion via fsutil (sigma)
- 04d66f93-97ae-4674-96a8-1bb524a1da60 # LSASS Memory Dump via Procdump (sigma)
- cda4a133-fe67-4aa6-815d-f8c69ff16828 # IFEO Debugger or SilentProcessExit Hijack (sigma)
yara:
- yara-win-mimikatz-strings # Mimikatz credential-dumping strings (yara)
- yara-win-xmrig-coinminer # XMRig / coinminer strings in Windows PE binaries (yara)
- yara-win-msfvenom-stager # Metasploit / Meterpreter stager markers in Windows PE (yara)
ioc:
- ioc-eicar-test # EICAR safe end-to-end IOC test set (ioc) # EICAR safe end-to-end IOC test set (ioc) # EICAR safe end-to-end IOC test set (ioc)
7 changes: 7 additions & 0 deletions packs/windows/hunting/pack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,13 @@ extends:
- windows-advanced
attack_coverage:
- T1105
- T1574.002
- T1033
- T1482
- T1069.002
telemetry_requirements:
- process_creation
- image_load
test_status: none
sources:
manual:
Expand All @@ -27,3 +32,5 @@ rules:
has:
sigma:
- 3e2d1c0b-5a4f-4938-8271-6a5b4c3d2e10 # Certutil Used to Download Remote Content (Hunting)
- 3248cbd6-6c77-4b5c-ab44-655e7fd75667 # Unsigned DLL Loaded from User-Writable Path (Hunting)
- 4aae4b03-4807-428a-ac89-5c5f3cda65e4 # Reconnaissance Command Burst (Hunting)
42 changes: 42 additions & 0 deletions rules/sigma/linux/file_event_lnx_history_tamper.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
title: Shell History File Tampering
id: 6df6fcdc-e5e5-413b-aabe-ec3d51d6bfeb
status: experimental
description: >
Detects deletion or replacement of a shell history file (.bash_history,
.zsh_history and friends), an almost-universal attacker hygiene step and a
cheap post-compromise tripwire.
Note: `history -c` and `unset HISTFILE` are shell builtins that never produce a
process event, which is exactly why this is a file rule. Rustinel's Linux file
telemetry observes creation and rename, so this catches a history file being
replaced or rewritten rather than an in-place truncate.
references:
- https://attack.mitre.org/techniques/T1070/003/
author: rustinel-rules
date: 2026-07-09
tags:
- attack.defense-evasion
- attack.t1070.003
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|endswith:
- '.bash_history'
- '.zsh_history'
- '.sh_history'
- '.ash_history'
- '.history'
condition: selection
falsepositives:
- Users rotating dotfiles or logrotate-style cleanup of history files.
level: medium
rustinel:
telemetry:
- file_event
expected_false_positive_level: medium
test_status: manual
test_reason: >
Targets history-file delete/replace events, which the Linux atomic harness
does not yet reliably reproduce; validated manually with Atomic Red Team
T1070.003.
44 changes: 44 additions & 0 deletions rules/sigma/linux/file_event_lnx_udev_persistence.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
title: udev Rules Persistence
id: 1bb5e9e4-f17e-476e-8e77-aaa1858f12f7
status: experimental
description: >
Detects creation or modification of a udev rules file, a persistence mechanism
that can run an attacker binary on device events. udev is the notable gap in
Linux persistence coverage (cron, systemd, ld.so.preload, ssh keys and shell
profiles are already covered) and is actively used by recent Linux malware such
as sedexp.
references:
- https://attack.mitre.org/techniques/T1547/
author: rustinel-rules
date: 2026-07-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|startswith:
- '/etc/udev/rules.d/'
- '/lib/udev/rules.d/'
- '/usr/lib/udev/rules.d/'
filter_pkg:
Image|endswith:
- '/dpkg'
- '/rpm'
- '/dnf'
- '/apt'
- '/apt-get'
- '/yum'
condition: selection and not filter_pkg
falsepositives:
- Driver and package installs write udev rules; the package-manager image filter
handles the bulk.
level: medium
rustinel:
telemetry:
- file_event
expected_false_positive_level: medium
test_status: atomic
47 changes: 47 additions & 0 deletions rules/sigma/linux/file_event_lnx_webshell_write.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
title: Webshell Written by Web-Server Process
id: e96a9b85-26f6-4251-a26b-361d4b6761ef
status: experimental
description: >
Detects a web-server or application-server process (nginx, apache, httpd,
php-fpm, php, tomcat, java) writing a server-side script file (.php, .jsp, .war
and friends). Webshells remain the number-one Linux initial-access persistence
after an exploited web application; this is drop-time detection complementing
the use-time "web server spawns shell" rule.
references:
- https://attack.mitre.org/techniques/T1505/003/
author: rustinel-rules
date: 2026-07-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_event
product: linux
detection:
selection:
Image|endswith:
- '/nginx'
- '/apache2'
- '/httpd'
- '/php-fpm'
- '/php'
- '/java'
TargetFilename|endswith:
- '.php'
- '.php5'
- '.phtml'
- '.jsp'
- '.jspx'
- '.war'
- '.asp'
- '.aspx'
condition: selection
falsepositives:
- CMS plugin installs and cache writers (WordPress); document webroot cache-path
filters per environment.
level: high
rustinel:
telemetry:
- file_event
expected_false_positive_level: medium
test_status: atomic
52 changes: 52 additions & 0 deletions rules/sigma/linux/net_connection_lnx_shell_outbound.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
title: Outbound Network Connection from Shell Binary
id: d0c6216e-881c-408f-8e72-0a466522306b
status: experimental
description: >
Detects a public-internet outbound connection whose owning process is a shell
binary (bash, sh, dash, zsh). This is the enrichment-race safety net: a reverse
shell whose /proc/<pid>/cmdline read loses the race is invisible to the
command-line reverse-shell rules, but its socket is not. Add legitimate public
endpoints to the private-network filter as tuning.
references:
- https://attack.mitre.org/techniques/T1059/004/
- https://attack.mitre.org/techniques/T1071/
author: rustinel-rules
date: 2026-07-09
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.004
- attack.t1071
logsource:
category: network_connection
product: linux
detection:
selection:
Image|endswith:
- '/bash'
- '/sh'
- '/dash'
- '/zsh'
- '/ksh'
filter_private:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/10'
condition: selection and not filter_private
falsepositives:
- Provisioning scripts that use /dev/tcp health checks against public
endpoints; the CIDR filter is the tuning surface.
level: medium
rustinel:
telemetry:
- network_connection
expected_false_positive_level: medium
test_status: manual
test_reason: >
The network_connection channel is not yet exercised by the atomic harness;
validated manually with a /dev/tcp connection from a shell to a lab public IP.
Loading
Loading