Sigma Rule Library¶
Production-ready Sigma rules covering the highest-priority ATT&CK techniques. All rules follow the Sigma specification and can be converted to any SIEM using sigma-cli.
Converting Sigma to Your SIEM
TA0001 — Initial Access¶
SIGMA-001: Suspicious Office Macro Execution¶
title: Suspicious Office Macro Child Process
id: sigma-001-office-macro
status: production
description: Detects Office applications spawning unusual child processes, indicating macro execution
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1566/001/
tags:
- attack.initial_access
- attack.t1566.001
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\OUTLOOK.EXE'
- '\MSPUB.EXE'
- '\VISIO.EXE'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
condition: selection
falsepositives:
- Legitimate macros that spawn shells (IT automation tools)
- PDFCreator and similar print macros
level: high
SIGMA-002: VPN Authentication from Impossible Geography¶
title: VPN Authentication from Unusual Country
id: sigma-002-vpn-geo-anomaly
status: production
description: Detects VPN authentication from a country not in the organization's normal operating regions
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1133/
tags:
- attack.initial_access
- attack.t1133
- attack.valid_accounts
- attack.t1078
logsource:
service: vpn
product: fortinet
# Also applicable to: cisco_asa, palo_alto, checkpoint
detection:
selection:
EventType: 'vpn_login_success'
filter_allowed_countries:
SrcCountry|contains:
- 'US'
- 'CA'
- 'GB'
# TUNE: Add your organization's normal countries
condition: selection and not filter_allowed_countries
falsepositives:
- Employees traveling internationally
- Third-party vendors in different regions
- VPN from corporate locations in other countries
level: medium
fields:
- SrcIP
- SrcCountry
- User
- Timestamp
TA0002 — Execution¶
SIGMA-003: PowerShell Encoded Command Execution¶
title: PowerShell Encoded Command Execution
id: sigma-003-powershell-encoded
status: production
description: Detects PowerShell execution with Base64 encoded commands, commonly used to obfuscate malicious commands
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1059/001/
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -en '
- ' -EC '
filter_legitimate:
CommandLine|contains:
# TUNE: Add known-legitimate encoded commands
- 'AAAAAAAAAA' # Example: Azure Arc agent
condition: selection and not filter_legitimate
falsepositives:
- Software deployment tools (SCCM, Ansible)
- Azure Arc, Intune management agents
- Some legitimate security tools
level: medium
fields:
- Image
- CommandLine
- ParentImage
- User
- Hashes
SIGMA-004: WMI Process Execution¶
title: WMI Used to Spawn Process
id: sigma-004-wmi-execution
status: production
description: Detects WMI being used to spawn processes, a common lateral movement and execution technique
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1047/
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WmiPrvSE.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
- '\net.exe'
- '\nltest.exe'
condition: selection
falsepositives:
- SCCM/ConfigMgr operations via WMI
- Some endpoint management agents
- Legitimate WMI-based scripts
level: high
SIGMA-005: LOLBAS File Download¶
title: LOLBAS Used to Download File
id: sigma-005-lolbas-download
status: production
description: Detects living-off-the-land binaries being used to download files from the internet
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1105/
- https://lolbas-project.github.io/
tags:
- attack.command_and_control
- attack.t1105
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
certutil_download:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-urlcache'
- '-decode'
- '-decodehex'
- 'http'
bitsadmin_download:
Image|endswith: '\bitsadmin.exe'
CommandLine|contains:
- '/transfer'
- '/download'
mshta_download:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'http'
- 'vbscript'
- 'javascript'
regsvr32_download:
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- '/s'
- '/u'
- 'http'
condition: certutil_download or bitsadmin_download or mshta_download or regsvr32_download
falsepositives:
- certutil: Certificate management operations (no URL)
- bitsadmin: Windows Update components
level: high
TA0003 — Persistence¶
SIGMA-006: Scheduled Task Created via Command Line¶
title: Suspicious Scheduled Task Creation
id: sigma-006-scheduled-task
status: production
description: Detects scheduled task creation with suspicious properties such as network paths, encoded commands, or unusual run times
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1053/005/
tags:
- attack.persistence
- attack.t1053.005
- attack.privilege_escalation
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/create'
suspicious_command:
CommandLine|contains:
- 'powershell'
- 'cmd /c'
- 'wscript'
- 'cscript'
- 'mshta'
- 'regsvr32'
- 'http'
- 'ftp'
- '\AppData\'
- '\Temp\'
condition: selection and suspicious_command
falsepositives:
- Software installation creating legitimate scheduled tasks
- Admin scripts deploying maintenance tasks
level: medium
SIGMA-007: Registry Run Key Modification¶
title: Registry Run Key Modification for Persistence
id: sigma-007-registry-run-key
status: production
description: Detects modifications to common registry autorun keys used for persistence
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1547/001/
tags:
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection:
EventType:
- 'SetValue'
- 'CreateKey'
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx'
- '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\SYSTEM\CurrentControlSet\Services\'
filter_legitimate:
Image|startswith:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Program Files\Windows Defender\'
# TUNE: Add known-legitimate installer paths
condition: selection and not filter_legitimate
falsepositives:
- Software installation (MSI packages)
- Legitimate security tools adding startup entries
level: medium
TA0006 — Credential Access¶
SIGMA-008: Kerberoasting Detection¶
title: Kerberoasting — RC4 TGS Request
id: sigma-008-kerberoasting
status: production
description: Detects Kerberoasting attacks by identifying TGS requests using RC4 encryption for service accounts
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1558/003/
- https://adsecurity.org/?p=3458
tags:
- attack.credential_access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketOptions: '0x40810000'
TicketEncryptionType: '0x17' # RC4-HMAC
filter_computers:
ServiceName|endswith: '$' # Machine accounts
filter_builtin:
ServiceName:
- 'krbtgt'
- 'kadmin/changepw'
condition: selection and not filter_computers and not filter_builtin
falsepositives:
- Legacy applications still using RC4 Kerberos
- Some older third-party software
level: high
fields:
- SubjectUserName
- ServiceName
- ClientAddress
- TicketEncryptionType
SIGMA-009: LSASS Memory Access¶
title: LSASS Memory Access by Non-System Process
id: sigma-009-lsass-access
status: production
description: Detects processes accessing LSASS memory for credential dumping (Sysmon Event ID 10)
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1003/001/
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1410'
- '0x147a'
- '0x143a'
- '0x1438'
filter_legit:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith:
- '\MsMpEng.exe'
- '\WerFault.exe'
- '\csrss.exe'
- '\wininit.exe'
condition: selection and not filter_legit
falsepositives:
- AV/EDR products reading LSASS for scanning (tune filter_legit)
- Task manager viewing LSASS details
level: critical
SIGMA-010: Password Spray Detection¶
title: Password Spray Attack
id: sigma-010-password-spray
status: production
description: Detects password spray by identifying many failed logon attempts across multiple accounts from a single source
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1110/003/
tags:
- attack.credential_access
- attack.t1110.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
LogonType: 3
condition: selection | count(TargetUserName) by IpAddress > 10
timeframe: 5m
falsepositives:
- Misconfigured service accounts with wrong passwords
- Network scanners that test authentication
level: high
fields:
- IpAddress
- TargetUserName
- LogonType
- SubStatus
TA0005 — Defense Evasion¶
SIGMA-011: Windows Event Log Clearing¶
title: Windows Security Event Log Cleared
id: sigma-011-event-log-cleared
status: production
description: Detects clearing of Windows event logs, commonly done by attackers to remove evidence
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1070/001/
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
product: windows
service: security
detection:
selection_4624:
EventID: 1102 # Security log cleared
selection_system:
EventID: 104 # System log cleared (System channel)
condition: selection_4624 or selection_system
falsepositives:
- Authorized IT operations (log rotation, compliance archival — should be documented)
- Forensic operations under approved IR procedure
level: high
SIGMA-012: EDR / AV Service Tampering¶
title: Security Tool Service Stopped or Disabled
id: sigma-012-security-tool-tamper
status: production
description: Detects attempts to stop or disable security tool services, a common defense evasion technique
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1562/001/
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\sc.exe'
- '\net.exe'
- '\net1.exe'
CommandLine|contains:
- 'stop'
- 'disable'
CommandLine|contains:
- 'MsMpSvc'
- 'WinDefend'
- 'CrowdStrike'
- 'CsFalconService'
- 'SentinelAgent'
- 'CylanceSvc'
- 'cb'
condition: selection
falsepositives:
- Authorized IT operations (must be change-controlled)
- AV replacement procedures
level: critical
TA0008 — Lateral Movement¶
SIGMA-013: PsExec Lateral Movement¶
title: PsExec Lateral Movement Detection
id: sigma-013-psexec
status: production
description: Detects PsExec-style lateral movement via ADMIN$ share and service creation
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1021/002/
tags:
- attack.lateral_movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
service_install:
EventID: 7045
ServiceName: 'PSEXESVC'
service_install_generic:
EventID: 7045
ServiceFileName|contains:
- 'ADMIN$'
- '\Windows\PSEXESVC'
condition: service_install or service_install_generic
falsepositives:
- Authorized admin use of PsExec (must be documented and rare)
- IT helpdesk tools using similar service names
level: high
SIGMA-014: Lateral Movement via WinRM¶
title: Lateral Movement via WinRM / WSManagement
id: sigma-014-winrm-lateral
status: production
description: Detects suspicious commands executed via WinRM (Windows Remote Management)
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1021/006/
tags:
- attack.lateral_movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsmprovhost.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\net.exe'
- '\whoami.exe'
- '\ipconfig.exe'
condition: selection
falsepositives:
- Authorized remote management by IT (Ansible, DSC, legitimate WinRM tasks)
- Remote scripting for automation
level: high
TA0040 — Impact¶
SIGMA-015: VSS Shadow Copy Deletion¶
title: Shadow Copy Deletion — Ransomware Precursor
id: sigma-015-vss-deletion
status: production
description: Detects deletion of Volume Shadow Copies, a near-universal ransomware precursor
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1490/
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains:
- 'delete'
- 'shadows'
wmic_vss:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'shadowcopy'
- 'delete'
bcdedit:
Image|endswith: '\bcdedit.exe'
CommandLine|contains:
- 'recoveryenabled'
- 'no'
wbadmin:
Image|endswith: '\wbadmin.exe'
CommandLine|contains:
- 'delete'
- 'catalog'
powershell_vss:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Win32_ShadowCopy'
- 'Delete()'
condition: vssadmin or wmic_vss or bcdedit or wbadmin or powershell_vss
falsepositives:
- Storage management tools (rare, should always be investigated)
- Backup software management (document and whitelist specifically)
level: critical
SIGMA-016: Bulk File Encryption (Ransomware in Progress)¶
title: Bulk File Rename — Ransomware Encryption in Progress
id: sigma-016-bulk-rename
status: production
description: Detects mass file rename operations that indicate active ransomware encryption. RESPOND IMMEDIATELY.
author: Nexus SecOps
date: 2026/01
references:
- https://attack.mitre.org/techniques/T1486/
tags:
- attack.impact
- attack.t1486
logsource:
category: file_rename
product: windows
detection:
selection:
# Sysmon Event ID 11 with rename = new extension appended
TargetFilename|re: '.*\.[a-zA-Z0-9]{4,8}$'
condition: selection | count() by ComputerName > 200
timeframe: 1m
falsepositives:
- Mass file format conversion tools
- Backup software renaming files during backup
level: critical
Using This Library¶
Deploy All Rules¶
# Clone SigmaHQ rules + overlay Nexus SecOps rules
git clone https://github.com/SigmaHQ/sigma.git
cp docs/tools/sigma-rules/*.yml sigma/rules/windows/
# Convert all to Sentinel KQL
sigma convert -t microsoft365defender sigma/rules/windows/ -o output/sentinel/
# Convert all to Splunk
sigma convert -t splunk sigma/rules/windows/ -o output/splunk/
Rule Severity Mapping¶
| Sigma Level | SIEM Action | Analyst Response |
|---|---|---|
critical | High-severity alert, auto-page | Immediate investigation (<15 min) |
high | High-severity alert | Investigate within 1 hour |
medium | Medium alert | Investigate within 4 hours |
low | Informational | Review in daily queue |
Related Resources¶
- Detection Query Library — KQL & SPL production queries
- Threat Hunt Hypothesis Library — Hypothesis-driven hunting
- Chapter 5: Detection Engineering at Scale
- MicroSim 15: Sigma Rule Builder
16 production Sigma rules | All rules tested against SigmaHQ validator | Last updated: March 2026