Skip to content

Add threat hunting rule for single-character binary execution#5868

Open
norbert791 wants to merge 1 commit intoSigmaHQ:masterfrom
norbert791:norbert791/single-letter
Open

Add threat hunting rule for single-character binary execution#5868
norbert791 wants to merge 1 commit intoSigmaHQ:masterfrom
norbert791:norbert791/single-letter

Conversation

@norbert791
Copy link
Contributor

@norbert791 norbert791 commented Feb 14, 2026

Summary of the Pull Request

Detects execution of binaries with single-character names (e.g., r.exe, a.exe) which are commonly used by attackers to evade detection or as quick implants.

Reference: CERT Polska Energy Sector Incident Report 2025

Changelog

new: Single Character Binary Execution - Linux
new: Single Character Binary Execution - MacOS
new: Single Character Binary Execution - Windows

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules Linux Pull request add/update linux related rules MacOS Pull request add/update macos related rules Threat-Hunting labels Feb 14, 2026
@norbert791 norbert791 marked this pull request as draft February 14, 2026 12:29
@norbert791 norbert791 marked this pull request as ready for review February 14, 2026 12:31
@norbert791 norbert791 force-pushed the norbert791/single-letter branch from b356ca6 to 8f1b65d Compare February 14, 2026 12:38
kurtbruners
kurtbruners reviewed Feb 18, 2026
View reviewed changes
rules-threat-hunting/linux/process_creation/proc_creation_lnx_single_char_binary_execution.yml
category: process_creation
detection:
selection:
Image|endswith: '/?'
Copy link

@kurtbruners kurtbruners Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like this would generate a lot of noise for single-char executables and compilers as described by the developer.

Imo, since this tackles the tunneling actions done by the attackers in the polish incident, I would recommend to edit the or fine tune the existing SSH Tunneling or general tunneling rules with "-R" and Port being present in command line.

Copy link
Contributor Author

@norbert791 norbert791 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule might be noisy in some environments, but I suppose it's not too much of a problem if it's a threat-hunting rule. To be frank, I think that 'one-char' software might appear less often than it may seem. I don't believe there's much legitimate software with 'one-char' binaries and if someone builds their own images, then they will probably give it a more descriptive name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kurtbruners kurtbruners kurtbruners left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Linux Pull request add/update linux related rules MacOS Pull request add/update macos related rules Review Needed The PR requires review Rules Threat-Hunting Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@norbert791 @kurtbruners