Below you will find pages that utilize the taxonomy term “Sigma Rules”
Beyond the Bait: Behavioral Sigma Detections for AiTM Phishing
Phishing campaigns are a moving target. The sender domain rotates every 48 hours. The PDF hash changes with each wave. The landing page infrastructure spins up on fresh hosting and disappears before anyone can block it. Chasing those indicators is necessary. It is also a treadmill.
Microsoft’s Defender Research team recently published a detailed analysis of a large-scale …
see the full story
QLNX and Watching the Surroundings: Behavioral Detection for Linux
You cannot detect a malware sample that deletes itself from disk before your EDR blinks. That is the honest starting point for any discussion of QLNX.
Trend Micro’s TrendAI Research team discovered Quasar Linux – QLNX – a previously undocumented Linux remote access trojan with near-zero initial detection rates. It executes entirely from memory via memfd_create and execveat, wipes its own binary …
see the full story
Sigma Rules: The Detection Engineer’s Rosetta Stone
Every security team has the same problem. Alerts pile up. Analysts burn out triaging noise. A new threat actor drops a technique, and the team scrambles to build a detection — only to realize it only works in Splunk, and half the org runs Elastic.
Sigma was built to solve this. Not just as a rule format, but as a philosophy: write your detection logic once, express it clearly, and let tooling …
see the full story
You Can't Sigma a Buffer Overflow: Post-Exploitation Detection for CVE-2026-0300
Zero-days are designed to be invisible. A buffer overflow in a network appliance doesn’t show up in your SIEM. It doesn’t spawn a suspicious process. It doesn’t drop a file in a temp directory. It exploits a parsing mistake in memory, at a layer your detection tooling was never designed to see.
That’s the honest truth about CVE-2026-0300 — a critical unauthenticated RCE in …
see the full story
Detecting Dirty Frag: Linux Privilege Escalation Detection Engineering
Dirty Frag is one of those Linux privilege escalation vulnerabilities that reminds defenders why behavioral detection matters.
Public proof-of-concept (PoC) exploits appeared quickly after disclosure. Most defenders initially focused on detecting known exploit filenames or hashes. That works for copy-paste attacks, but it fails the moment an attacker recompiles the exploit or renames the binary. …
see the full story