Detection engineering

Rule archive and query library

Sigma

Suspicious PowerShell Child Process

Detect PowerShell spawning cmd.exe or wscript.exe with obfuscated command-line arguments.

title: Suspicious PowerShell Child Process
detection:
  selection:
    EventID: 4688
    NewProcessName|contains: ['cmd.exe','wscript.exe']
  condition: selection

YARA

Linux SSH Brute Force

Identify repeated SSH login attempts from unusual source IPs.

rule odisha_ssh_bruteforce {
  meta: 
    author = "ODISACYBEROPS"
    description = "SSH brute force pattern through public keys"
  strings: 
    $x = /Failed password for .* from/
  condition: 
    $x at least 5 in 1m
}