← Back to Portfolio

Wazuh Detection Rules

Custom SIEM Rules | Threat Detection & Response

Download all rules for deployment in your Wazuh environment:

Windows Threat Detection

Rule ID: 100001 CRITICAL
Mimikatz Credential Dumping Detected
MITRE ATT&CK: T1003 - OS Credential Dumping
<rule id="100001" level="15"> <if_sid>60000</if_sid> <field name="win.eventdata.image">mimikatz.exe</field> <description>Mimikatz credential dumping tool detected</description> <mitre> <id>T1003</id> </mitre> <group>credential_access,attack,</group> </rule>
Rule ID: 100002 HIGH
PowerShell Encoded Command Execution
MITRE ATT&CK: T1059.001 - PowerShell
<rule id="100002" level="12"> <if_sid>60000</if_sid> <field name="win.eventdata.commandLine" type="pcre2">(?i)powershell(.exe)?.* -enc|-encodedcommand</field> <description>PowerShell executed with encoded command (obfuscation)</description> <mitre> <id>T1059.001</id> <id>T1027</id> </mitre> <group>execution,defense_evasion,attack,</group> </rule>
Rule ID: 100003 HIGH
PsExec Remote Execution Detected
MITRE ATT&CK: T1570 - Lateral Tool Transfer
<rule id="100003" level="12"> <if_sid>60000</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)psexec(svc)?.exe</field> <description>PsExec lateral movement tool detected</description> <mitre> <id>T1570</id> <id>T1021.002</id> </mitre> <group>lateral_movement,attack,</group> </rule>
Rule ID: 100004 CRITICAL
Windows Defender Real-Time Protection Disabled
MITRE ATT&CK: T1562.001 - Impair Defenses
<rule id="100004" level="15"> <if_sid>60000</if_sid> <field name="win.system.eventID">5001</field> <description>Windows Defender real-time protection disabled</description> <mitre> <id>T1562.001</id> </mitre> <group>defense_evasion,attack,</group> </rule>
Rule ID: 100005 HIGH
Suspicious Process Execution from Temp Directory
MITRE ATT&CK: T1204 - User Execution
<rule id="100005" level="10"> <if_sid>60000</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\temp\\.*\.(exe|bat|ps1|vbs)</field> <description>Executable launched from Temp directory</description> <mitre> <id>T1204</id> </mitre> <group>execution,attack,</group> </rule>
Rule ID: 100006 CRITICAL
SAM Database Access Attempt (Credential Theft)
MITRE ATT&CK: T1003.002 - Security Account Manager
<rule id="100006" level="15"> <if_sid>60000</if_sid> <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\system32\\config\\sam</field> <description>SAM database file access detected - credential theft attempt</description> <mitre> <id>T1003.002</id> </mitre> <group>credential_access,attack,</group> </rule>

Authentication & Brute Force Detection

Rule ID: 100010 HIGH
Multiple Failed Login Attempts - Brute Force Attack
MITRE ATT&CK: T1110 - Brute Force
<rule id="100010" level="12" frequency="5" timeframe="120"> <if_matched_sid>60122</if_matched_sid> <same_source_ip /> <description>Multiple failed login attempts from same source IP (brute force)</description> <mitre> <id>T1110</id> </mitre> <group>credential_access,attack,authentication_failures,</group> </rule>
Rule ID: 100011 CRITICAL
Successful Login After Multiple Failed Attempts
MITRE ATT&CK: T1110 - Brute Force
<rule id="100011" level="15"> <if_sid>60106</if_sid> <if_matched_sid>100010</if_matched_sid> <same_source_ip /> <description>Successful login after brute force attempts - potential breach</description> <mitre> <id>T1110</id> </mitre> <group>credential_access,attack,authentication_success,</group> </rule>
Rule ID: 100012 MEDIUM
Login from Unusual Geographic Location
MITRE ATT&CK: T1078 - Valid Accounts
<rule id="100012" level="8"> <if_sid>60106</if_sid> <field name="srcgeoip">!US|!CA|!GB</field> <description>Login from unusual geographic location</description> <mitre> <id>T1078</id> </mitre> <group>authentication,geo_location,</group> </rule>
Rule ID: 100013 HIGH
Administrator Account Login Outside Business Hours
MITRE ATT&CK: T1078.002 - Domain Accounts
<rule id="100013" level="10"> <if_sid>60106</if_sid> <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin|administrator</field> <time>6 pm - 6 am</time> <description>Administrator login outside business hours</description> <mitre> <id>T1078.002</id> </mitre> <group>authentication,policy_violation,</group> </rule>

Web Application Attacks

Rule ID: 100020 HIGH
SQL Injection Attempt Detected
MITRE ATT&CK: T1190 - Exploit Public-Facing Application
<rule id="100020" level="12"> <if_sid>31100</if_sid> <field name="url" type="pcre2">(?i)(union.*select|select.*from|insert.*into|delete.*from|drop.*table|' or '1'='1)</field> <description>SQL injection attempt detected in web request</description> <mitre> <id>T1190</id> </mitre> <group>web_attack,sql_injection,attack,</group> </rule>
Rule ID: 100021 HIGH
Cross-Site Scripting (XSS) Attack
MITRE ATT&CK: T1190 - Exploit Public-Facing Application
<rule id="100021" level="12"> <if_sid>31100</if_sid> <field name="url" type="pcre2">(?i)(<script|javascript:|onerror=|onload=|<iframe)</field> <description>Cross-site scripting (XSS) attempt detected</description> <mitre> <id>T1190</id> </mitre> <group>web_attack,xss,attack,</group> </rule>
Rule ID: 100022 MEDIUM
Directory Traversal Attack Attempt
MITRE ATT&CK: T1083 - File and Directory Discovery
<rule id="100022" level="10"> <if_sid>31100</if_sid> <field name="url" type="pcre2">(\.\./|\.\.\\|%2e%2e/)</field> <description>Directory traversal attack attempt</description> <mitre> <id>T1083</id> </mitre> <group>web_attack,directory_traversal,attack,</group> </rule>
Rule ID: 100023 HIGH
Command Injection Attempt via Web Request
MITRE ATT&CK: T1059 - Command and Scripting Interpreter
<rule id="100023" level="12"> <if_sid>31100</if_sid> <field name="url" type="pcre2">(?i)(;|&|\\||`|\$\(|<\(|>\()(cat|ls|wget|curl|nc|bash|sh|cmd)</field> <description>Command injection attempt in web request</description> <mitre> <id>T1059</id> </mitre> <group>web_attack,command_injection,attack,</group> </rule>

Linux Threat Detection

Rule ID: 100030 CRITICAL
Suspicious Binary Execution from /tmp or /dev/shm
MITRE ATT&CK: T1204 - User Execution
<rule id="100030" level="15"> <if_sid>550,554</if_sid> <field name="audit.file.name" type="pcre2">^(/tmp|/dev/shm)/</field> <description>Suspicious executable launched from /tmp or /dev/shm</description> <mitre> <id>T1204</id> </mitre> <group>execution,linux,attack,</group> </rule>
Rule ID: 100031 CRITICAL
Reverse Shell Detection - Netcat Usage
MITRE ATT&CK: T1059 - Command and Scripting Interpreter
<rule id="100031" level="15"> <if_sid>550</if_sid> <field name="audit.execve.a0" type="pcre2">(?i)nc|netcat|ncat</field> <field name="audit.execve.a1" type="pcre2">-e|--exec|-c</field> <description>Reverse shell attempt detected using netcat</description> <mitre> <id>T1059</id> <id>T1071</id> </mitre> <group>command_execution,reverse_shell,linux,attack,</group> </rule>
Rule ID: 100032 HIGH
User Added to Sudoers Group
MITRE ATT&CK: T1548 - Abuse Elevation Control Mechanism
<rule id="100032" level="12"> <if_sid>550</if_sid> <field name="audit.execve.a0">usermod</field> <field name="audit.execve.a1">-aG</field> <field name="audit.execve.a2">sudo</field> <description>User added to sudoers group - privilege escalation</description> <mitre> <id>T1548</id> </mitre> <group>privilege_escalation,linux,attack,</group> </rule>
Rule ID: 100033 MEDIUM
SSH Key Added to Authorized Keys
MITRE ATT&CK: T1098.004 - SSH Authorized Keys
<rule id="100033" level="8"> <if_sid>550</if_sid> <field name="audit.file.name" type="pcre2">authorized_keys$</field> <description>SSH authorized_keys file modified</description> <mitre> <id>T1098.004</id> </mitre> <group>persistence,linux,attack,</group> </rule>

Network & C2 Detection

Rule ID: 100040 CRITICAL
Cobalt Strike Beacon Detection
MITRE ATT&CK: T1071 - Application Layer Protocol
<rule id="100040" level="15"> <if_sid>31100</if_sid> <field name="user_agent" type="pcre2">(?i)(cobalt strike|metasploit|meterpreter)</field> <description>Cobalt Strike or Metasploit C2 beacon detected</description> <mitre> <id>T1071</id> <id>T1219</id> </mitre> <group>command_control,attack,</group> </rule>
Rule ID: 100041 HIGH
DNS Tunneling Detected - Excessive Subdomain Queries
MITRE ATT&CK: T1071.004 - DNS
<rule id="100041" level="12" frequency="50" timeframe="60"> <if_sid>31100</if_sid> <field name="query_type">TXT</field> <same_source_ip /> <description>DNS tunneling suspected - excessive TXT queries from same source</description> <mitre> <id>T1071.004</id> </mitre> <group>exfiltration,command_control,attack,</group> </rule>
Rule ID: 100042 HIGH
Large Data Transfer to External IP
MITRE ATT&CK: T1041 - Exfiltration Over C2 Channel
<rule id="100042" level="12"> <if_sid>31100</if_sid> <field name="bytes_sent" type="pcre2">^[1-9][0-9]{7,}$</field> <field name="dest_ip" type="pcre2">^(?!10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.)</field> <description>Large data transfer to external IP - possible exfiltration</description> <mitre> <id>T1041</id> </mitre> <group>exfiltration,attack,</group> </rule>

File Integrity Monitoring

Rule ID: 100050 CRITICAL
Critical System File Modified
MITRE ATT&CK: T1565.001 - Stored Data Manipulation
<rule id="100050" level="15"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)(system32|winlogon\.exe|lsass\.exe|csrss\.exe)</field> <description>Critical Windows system file modified</description> <mitre> <id>T1565.001</id> </mitre> <group>file_integrity,attack,</group> </rule>
Rule ID: 100051 HIGH
Hosts File Modification
MITRE ATT&CK: T1565.001 - Stored Data Manipulation
<rule id="100051" level="12"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)\\system32\\drivers\\etc\\hosts$</field> <description>Windows hosts file modified - possible DNS hijacking</description> <mitre> <id>T1565.001</id> </mitre> <group>file_integrity,attack,</group> </rule>

Ransomware Detection

Rule ID: 100060 CRITICAL
Mass File Encryption Detected - Ransomware Activity
MITRE ATT&CK: T1486 - Data Encrypted for Impact
<rule id="100060" level="15" frequency="20" timeframe="30"> <if_sid>550</if_sid> <field name="file" type="pcre2">\.(encrypted|locked|crypto|crypt|cerber)$</field> <description>Mass file encryption detected - ransomware activity</description> <mitre> <id>T1486</id> </mitre> <group>ransomware,impact,attack,</group> </rule>
Rule ID: 100061 CRITICAL
Ransomware Note File Created
MITRE ATT&CK: T1486 - Data Encrypted for Impact
<rule id="100061" level="15"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)(readme|decrypt|recover|ransom|how_to).*\.(txt|html)$</field> <description>Ransomware note file created</description> <mitre> <id>T1486</id> </mitre> <group>ransomware,impact,attack,</group> </rule>