Sigma Detection Pack (16 rules)

• Entity ID: ent-20260419-de467130e9cb
• Type: dataset
• Scope: shared
• Status: active
• Aliases: community Sigma rules, Claude Code SIEM detection pack

Description

Community-built 16-rule Sigma detection pack with 100% pySigma pass rate covering Claude Code attack vectors: KAIROS daemon spawn, autoDream misuse, extractMemories calls, MCP anomalous hosts, hook script privilege, TERMINAL injection (CVE-35020 precursor), auth helper child process (CVE-35022 precursor), cc:// deep link handler registration, settings.json mid-session modification, Undercover Mode signals. Includes SPL/Elastic/YARA and test events; SC-008 validated with Sysmon on a domain controller.

Key claims

• none yet

Relations

• Sigma Detection Pack (16 rules) --[informed_by]--> Execa Command Injection (VULN-01/02/03)

Sources

src-20260419-cfed81b8d6a5