Sigma Rules List 1 to 100
Sigma is a standardized rule syntax which can be converted into many different SIEM-supported syntax formats. The Recorded Future Platform allows clients to access and download Sigma rules developed by Insikt Group for use in their organizations. Sigma Rules List PDF can be download from the link given at the bottom of this page.
The Sigma rules provided by the open-source Sigma project and the custom rules developed by Recorded Future (available to existing clients only) offer a powerful capability to detect and respond to credential harvesting using existing SIEM solutions. When combined with properly configured host-based logging, using tools such as Sysmon, Sigma rules can elevate the ability of an organization to detect and respond to threats with increased accuracy and efficiency.
Sigma Rules List
| Rule Title | Rule Author | Ruleset Name | ID | Files | Undetected Files |
|---|---|---|---|---|---|
| Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 | 21401557 | 53952 |
| Suspicious Run Key from Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c | 8252741 | 5330 |
| Stop Windows Service | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | 9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e | 6831397 | 38789 |
| Net.exe Execution | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 | 6451515 | 35190 |
| Milum malware detection (WildPressure APT) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb | 6291968 | 24 |
| Non Interactive PowerShell | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | 1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f | 3991193 | 105250 |
| Always Install Elevated Windows Installer | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 | 3025326 | 55602 |
| File Created with System Process Name | Sander Wiebing | Sigma Integrated Rule Set (GitHub) | e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e | 2284944 | 13926 |
| Windows Processes Suspicious Parent Directory | vburov | Sigma Integrated Rule Set (GitHub) | afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 | 1851752 | 92 |
| Shade Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 | 1673840 | 16 |
| Suspicious desktop.ini Action | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 | 1397422 | 161 |
| System File Execution Location Anomaly | Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | 25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f | 1386967 | 622 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 | 1147667 | 54640 |
| File deletion via CMD (via cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 | 923890 | 9083 |
| Suspicious Svchost Process | Florian Roth | Sigma Integrated Rule Set (GitHub) | a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 | 845991 | 133 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 | 805020 | 104 |
| Execution from Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 | 643979 | 5419 |
| Suspect Svchost Activity | David Burkett | Sigma Integrated Rule Set (GitHub) | dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a | 568031 | 87 |
| Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b | 549037 | 130 |
| CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c | 531710 | 11 |
| Swisyn Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa | 494316 | 108 |
| Suspicious Program Location with Network Connections | Florian Roth | Sigma Integrated Rule Set (GitHub) | 01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 | 482076 | 5335 |
| Scheduled Task Creation | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 | 431585 | 473 |
| Startup Folder File Write | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f | 323029 | 118 |
| Executables Started in Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | 934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 | 318156 | 2408 |
| Suspicious Program Location Process Starts | Florian Roth | Sigma Integrated Rule Set (GitHub) | c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 | 315071 | 2406 |
| Execution File Type Other Than .exe | Max Altgelt | Sigma Integrated Rule Set (GitHub) | 2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 | 314199 | 3369 |
| Possible Applocker Bypass | juju4 | Sigma Integrated Rule Set (GitHub) | b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 | 264915 | 225 |
Sigma Rules List
You can download the Sigma Rules List PDF using the link given below.