Sigma Rules List: Sigma represents a standardized rule syntax that can be translated into various formats accepted by SIEM systems. Through the Recorded Future Platform, clients can easily access and download Sigma rules curated by the Insikt Group to fortify their organizations with improved security measures.
The Sigma rules available through the open-source Sigma project, alongside the custom rules developed by Recorded Future, extend significant capabilities aimed at detecting and managing credential harvesting leveraging existing SIEM solutions. When implemented with well-configured host-based logging tools, such as Sysmon, Sigma rules can greatly enhance an organization’s ability to accurately detect and respond to threats with higher efficiency. Below is the Sigma Rules List.
Sigma Rules List
| Rule Title | Rule Author | Ruleset Name | ID | Files | Undetected Files |
|---|---|---|---|---|---|
| Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | View ID | 21401557 | 53952 |
| Suspicious Run Key from Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 8252741 | 5330 |
| Stop Windows Service | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 6831397 | 38789 |
| Net.exe Execution | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | View ID | 6451515 | 35190 |
| Milum malware detection (WildPressure APT) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 6291968 | 24 |
| Non Interactive PowerShell | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | View ID | 3991193 | 105250 |
| Always Install Elevated Windows Installer | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 3025326 | 55602 |
| File Created with System Process Name | Sander Wiebing | Sigma Integrated Rule Set (GitHub) | View ID | 2284944 | 13926 |
| Windows Processes Suspicious Parent Directory | vburov | Sigma Integrated Rule Set (GitHub) | View ID | 1851752 | 92 |
| Shade Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 1673840 | 16 |
| Suspicious desktop.ini Action | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | View ID | 1397422 | 161 |
| System File Execution Location Anomaly | Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 1386967 | 622 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 1147667 | 54640 |
| File deletion via CMD (via cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 923890 | 9083 |
| Suspicious Svchost Process | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 845991 | 133 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | View ID | 805020 | 104 |
| Execution from Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 643979 | 5419 |
| Suspect Svchost Activity | David Burkett | Sigma Integrated Rule Set (GitHub) | View ID | 568031 | 87 |
| Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 549037 | 130 |
| CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | View ID | 531710 | 11 |
| Swisyn Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 494316 | 108 |
| Suspicious Program Location with Network Connections | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 482076 | 5335 |
| Scheduled Task Creation | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 431585 | 473 |
| Startup Folder File Write | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | View ID | 323029 | 118 |
| Executables Started in Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 318156 | 2408 |
| Suspicious Program Location Process Starts | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 315071 | 2406 |
| Execution File Type Other Than .exe | Max Altgelt | Sigma Integrated Rule Set (GitHub) | View ID | 314199 | 3369 |
| Possible Applocker Bypass | juju4 | Sigma Integrated Rule Set (GitHub) | View ID | 264915 | 225 |
Common Mistakes in Creating Sigma Rules
Here are some frequent mistakes people make when creating Sigma rules, along with examples to illustrate.
1. Ignoring Case Sensitivity
Strings in Sigma rules are generally case insensitive, except when they utilize a regex pattern. New rule creators may accidentally make errors that prevent the rule from functioning as intended.
2. Misusing Backslashes
Another frequent issue is the incorrect use of backslashes for escaping strings. This is particularly relevant in regex use.
The rule creation guide offers solutions to avoid these errors. For example, single backslashes, like in the string C:WindowsSystem32cmd.exe, do not require escaping and should be treated as a simple string value. Defenders should avoid writing it as "C:WindowsSystem32cmd.exe" with additional escapes.
3. Logical Errors from Operator Misuse
When defining selection criteria and conditions for rule triggers, it is crucial to understand how expressions are evaluated. Combining multiple criteria using OR when logic implies AND may result in false alerts. This can become particularly complex when multiple conditions are combined.
For further reading: Check out Pradhan Mantri Kaushal Vikas Yojana Courses List PDF 2025 | PMKVY Course Fee and Job Roles
Based
Sigma rule 3… Stop windows service
Sigma rules are like boys, because they are rocking and tough. Not like loser girls.
Say that infront of a girl and she will show you who the real loser is.😒
Girls are the only to give birth to those rocking and though boy
But I don't think you are anything more than an asshole 🥱
What are girls gonna do without boy's seed?
@Hhawra i don't think so
avoid girls and be a good boy
the biggest losers in this world is girls/ they can't live without boys/the can't do anything without boys/ i think they are just for enjoying of boys/reply if you are agree