sigma-rules/hunting/index.md

# List of Available Queries

Here are the queries currently available:


## aws
- [AWS IAM Customer-Managed Policy Attachment to Existing Roles](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL)
- [AWS IAM Unusual AWS Access Key Usage for User](./aws/docs/iam_unusual_access_key_usage_for_user.md) (ES|QL)
- [EC2 Modify Instance Attribute User Data](./aws/docs/ec2_modify_instance_attribute_user_data.md) (ES|QL)
- [EC2 Suspicious Get User Password Request](./aws/docs/ec2_suspicious_get_user_password_request.md) (ES|QL)
- [High EC2 Instance Deployment Count Attempts by Single User or Role](./aws/docs/ec2_high_instance_deployment_count_attempts.md) (ES|QL)
- [High Frequency of EC2 Multi-Region `DescribeInstances` API Calls](./aws/docs/ec2_discovery_multi_region_describe_instance_calls.md) (ES|QL)
- [High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls](./aws/docs/servicequotas_discovery_multi_region_get_service_quota_calls.md) (ES|QL)
- [IAM Assume Role Creation with Attached Policy](./aws/docs/iam_assume_role_creation_with_attached_policy.md) (ES|QL)
- [IAM Unusual Default Aviatrix Role Activity](./aws/docs/iam_unusual_default_aviatrix_role_activity.md) (ES|QL)
- [IAM User Activity with No MFA Session](./aws/docs/iam_user_activity_with_no_mfa_session.md) (ES|QL)
- [Lambda Add Permissions for Write Actions to Function](./aws/docs/lambda_add_permissions_for_write_actions_to_function.md) (ES|QL)
- [Multiple Service Logging Deleted or Stopped](./aws/docs/multiple_service_logging_deleted_or_stopped.md) (ES|QL)
- [S3 Public Bucket Rapid Object Access Attempts](./aws/docs/s3_public_bucket_rapid_object_access_attempts.md) (ES|QL)
- [SNS Direct-to-Phone Messaging Spike](./aws/docs/sns_direct_to_phone_messaging_spike.md) (ES|QL)
- [SNS Topic Created by Rare User](./aws/docs/sns_topic_created_by_rare_user.md) (ES|QL)
- [SNS Topic Message Published by Rare User](./aws/docs/sns_topic_message_published_by_rare_user.md) (ES|QL)
- [SNS Topic Subscription with Email by Rare User](./aws/docs/sns_email_subscription_by_rare_user.md) (ES|QL)
- [SSM Rare SendCommand Code Execution by EC2 Instance](./aws/docs/ssm_rare_sendcommand_code_execution.md) (ES|QL)
- [SSM SendCommand API Used by EC2 Instance](./aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md) (ES|QL)
- [SSM Start Remote Session to EC2 Instance](./aws/docs/ssm_start_remote_session_to_ec2_instance.md) (ES|QL)
- [STS Suspicious Federated Temporary Credential Request](./aws/docs/sts_suspicious_federated_temporary_credential_request.md) (ES|QL)
- [Secrets Manager High Frequency of Programmatic GetSecretValue API Calls](./aws/docs/secretsmanager_high_frequency_get_secret_value.md) (ES|QL)
- [Signin Single Factor Console Login via Federated Session](./aws/docs/signin_single_factor_console_login_via_federated_session.md) (ES|QL)
- [User Creation with Administrator Policy Assigned](./aws/docs/iam_user_creation_with_administrator_policy_assigned.md) (ES|QL)


## azure
- [Azure Entra Authentication Attempts from Abused Hosting Service Providers](./azure/docs/entra_authentication_attempts_from_abused_hosting_service_providers.md) (ES|QL)
- [Azure Entra Device Code Authentication from Unusual Principal](./azure/docs/entra_device_code_authentication_from_unusual_principal.md) (ES|QL)
- [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](./azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md) (ES|QL)
- [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL)
- [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL)
- [Microsoft Entra ID Rare Service Principal Activity from Multiple IPs](./azure/docs/entra_rare_actions_by_service_principal.md) (ES|QL)
- [Microsoft Entra ID Uncommon IP Adding Credentials to Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL)
- [Microsoft Entra Infrequent Suspicious OData Client Requests](./azure/docs/entra_suspicious_odata_client_requests.md) (ES|QL)


## cross-platform
- [Potential Spoofed `microsoftonline.com` via Fuzzy Match](./cross-platform/docs/potentially_spoofed_microsoft_authentication_domain.md) (ES|QL)


## linux
- [Defense Evasion via Capitalized Process Execution](./linux/docs/defense_evasion_via_capitalized_process_execution.md) (ES|QL)
- [Drivers Load with Low Occurrence Frequency](./linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md) (ES|QL)
- [Excessive SSH Network Activity to Unique Destinations](./linux/docs/excessive_ssh_network_activity_unique_destinations.md) (ES|QL)
- [General Kernel Manipulation](./linux/docs/persistence_general_kernel_manipulation.md) (ES|QL)
- [Git Hook/Pager Persistence](./linux/docs/persistence_via_git_hook_pager.md) (ES|QL)
- [Hidden Process Execution](./linux/docs/defense_evasion_via_hidden_process_execution.md) (ES|QL)
- [Logon Activity by Source IP](./linux/docs/login_activity_by_source_address.md) (ES|QL)
- [Low Volume External Network Connections from Process by Unique Agent](./linux/docs/low_volume_external_network_connections_from_process.md) (ES|QL)
- [Low Volume GTFOBins External Network Connections](./linux/docs/low_volume_gtfobins_external_network_connections.md) (ES|QL)
- [Low Volume Modifications to Critical System Binaries by Unique Host](./linux/docs/low_volume_modifications_to_critical_system_binaries.md) (ES|QL)
- [Low Volume Process Injection-Related Syscalls by Process Executable](./linux/docs/low_volume_process_injection_syscalls_by_executable.md) (ES|QL)
- [Network Connections with Low Occurrence Frequency for Unique Agent ID](./linux/docs/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.md) (ES|QL)
- [OSQuery SUID Hunting](./linux/docs/privilege_escalation_via_suid_binaries.md) (ES|QL)
- [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL)
- [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
- [Persistence via DPKG/RPM Package](./linux/docs/persistence_via_rpm_dpkg_installer_packages.md) (ES|QL)
- [Persistence via Desktop Bus (D-Bus)](./linux/docs/persistence_via_desktop_bus.md) (ES|QL)
- [Persistence via Docker Container](./linux/docs/persistence_via_malicious_docker_container.md) (ES|QL)
- [Persistence via Dynamic Linker Hijacking](./linux/docs/persistence_via_dynamic_linker_hijacking.md) (ES|QL)
- [Persistence via GRUB Bootloader](./linux/docs/persistence_via_grub_bootloader.md) (ES|QL)
- [Persistence via Initramfs](./linux/docs/persistence_via_initramfs.md) (ES|QL)
- [Persistence via Loadable Kernel Modules](./linux/docs/persistence_via_loadable_kernel_modules.md) (ES|QL)
- [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
- [Persistence via NetworkManager Dispatcher Script](./linux/docs/persistence_via_network_manager_dispatcher_script.md) (ES|QL)
- [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL)
- [Persistence via Pluggable Authentication Modules (PAM)](./linux/docs/persistence_via_pluggable_authentication_module.md) (ES|QL)
- [Persistence via PolicyKit](./linux/docs/persistence_via_policykit.md) (ES|QL)
- [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL)
- [Persistence via System V Init](./linux/docs/persistence_via_sysv_init.md) (ES|QL)
- [Persistence via Systemd (Timers)](./linux/docs/persistence_via_systemd_timers.md) (ES|QL)
- [Persistence via Udev](./linux/docs/persistence_via_udev.md) (ES|QL)
- [Persistence via Web Shell](./linux/docs/persistence_via_web_shell.md) (ES|QL)
- [Persistence via rc.local/rc.common](./linux/docs/persistence_via_rc_local.md) (ES|QL)
- [Potential Defense Evasion via Multi-Dot Process Execution](./linux/docs/defense_evasion_via_multi_dot_process_execution.md) (ES|QL)
- [Privilege Escalation Identification via Existing Sudoers File](./linux/docs/privilege_escalation_via_existing_sudoers.md) (ES|QL)
- [Privilege Escalation/Persistence via User/Group Creation and/or Modification](./linux/docs/persistence_via_user_group_creation_modification.md) (ES|QL)
- [Process Capability Hunting](./linux/docs/privilege_escalation_via_process_capabilities.md) (ES|QL)
- [Segmentation Fault & Potential Buffer Overflow Hunting](./linux/docs/privilege_escalation_via_segmentation_fault_and_buffer_overflow.md) (ES|QL)
- [Shell Modification Persistence](./linux/docs/persistence_via_shell_modification_persistence.md) (ES|QL)
- [Uncommon Process Execution from Suspicious Directory](./linux/docs/execution_uncommon_process_execution_from_suspicious_directory.md) (ES|QL)
- [Unusual File Downloads from Source Addresses](./linux/docs/command_and_control_via_unusual_file_downloads_from_source_addresses.md) (ES|QL)
- [Unusual System Binary Parent (Potential System Binary Hijacking Attempt)](./linux/docs/persistence_via_unusual_system_binary_parent.md) (ES|QL)
- [XDG Persistence](./linux/docs/persistence_via_xdg_autostart_modifications.md) (ES|QL)


## llm
- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](./llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md) (ES|QL)
- [AWS Bedrock LLM Ignore Previous Prompt Detection](./llm/docs/aws_bedrock_ignore_previous_prompt_detection.md) (ES|QL)
- [AWS Bedrock LLM Latency Anomalies](./llm/docs/aws_bedrock_latency_anomalies_detection.md) (ES|QL)
- [AWS Bedrock LLM Sensitive Content Refusals](./llm/docs/aws_bedrock_sensitive_content_refusal_detection.md) (ES|QL)


## macos
- [Low Occurrence of Suspicious Launch Agent or Launch Daemon](./macos/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL)
- [Potential Python Stealer Activity](./macos/docs/credential_access_potential_python_stealer.md) (ES|QL)
- [Python Library Load and Delete](./macos/docs/defense_evasion_python_library_load_and_delete.md) (ES|QL)
- [Python Script Drop and Execute](./macos/docs/execution_python_script_drop_and_execute.md) (ES|QL)
- [Self-Deleted Python Script Accessing Sensitive Files](./macos/docs/defense_evasion_self_deleted_python_script_accessing_sensitive_files.md) (ES|QL)
- [Self-Deleting Python Script](./macos/docs/defense_evasion_self_deleting_python_script.md) (ES|QL)
- [Sensitive File Access via Docker](./macos/docs/execution_suspicious_file_access_via_docker.md) (ES|QL)
- [Suspicious Executable File Modification via Docker](./macos/docs/execution_suspicious_executable_file_modification_via_docker.md) (ES|QL)
- [Suspicious Network Connections by Unsigned Mach-O](./macos/docs/suspicious_network_connections_by_unsigned_macho.md) (ES|QL)
- [Suspicious Python App Execution via Streamlit](./macos/docs/execution_suspicious_python_app_execution_via_streamlit.md) (ES|QL)
- [Unsigned or Untrusted Binary Execution via Python](./macos/docs/execution_unsigned_or_untrusted_binary_execution_via_python.md) (ES|QL)
- [Unsigned or Untrusted Binary Forked by Python](./macos/docs/execution_unsigned_or_untrusted_binary_fork_via_python.md) (ES|QL)
- [Unusual Library Load via Python](./macos/docs/execution_unusual_library_load_via_python.md) (ES|QL)


## okta
- [Failed OAuth Access Token Retrieval via Public Client App](./okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md) (ES|QL)
- [Identify High Average of Failed Daily Authentication Attempts](./okta/docs/initial_access_higher_than_average_failed_authentication.md) (ES|QL)
- [Multi-Factor Authentication (MFA) Push Notification Bombing](./okta/docs/persistence_multi_factor_push_notification_bombing.md) (ES|QL)
- [Multiple Application SSO Authentication from the Same Source](./okta/docs/defense_evasion_multiple_application_sso_authentication_repeat_source.md) (ES|QL)
- [OAuth Access Token Granted for Public Client App from Multiple Client Addresses](./okta/docs/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md) (ES|QL)
- [Password Spraying from Repeat Source](./okta/docs/initial_access_password_spraying_from_repeat_source.md) (ES|QL)
- [Rapid MFA Deny Push Notifications (MFA Bombing)](./okta/docs/credential_access_mfa_bombing_push_notications.md) (ES|QL)
- [Rapid Reset Password Requests for Different Users](./okta/docs/credential_access_rapid_reset_password_requests_for_different_users.md) (ES|QL)
- [Rare Occurrence of Domain with User Authentication Events](./okta/docs/persistence_rare_domain_with_user_authentication.md) (ES|QL)
- [Rare Occurrence of OAuth Access Token Granted to Public Client App](./okta/docs/defense_evasion_rare_oauth_access_token_granted_by_application.md) (ES|QL)
- [Successful Impossible Travel Sign-On Events](./okta/docs/initial_access_impossible_travel_sign_on.md) (ES|QL)


## windows
- [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL)
- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL)
- [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL)
- [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL)
- [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL)
- [Executable File Creation by an Unusual Microsoft Binary](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md) (ES|QL)
- [Execution via Remote Services by Client Address](./windows/docs/execution_via_remote_services_by_client_address.md) (ES|QL)
- [Frequency of Process Execution via Network Logon by Source Address](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL)
- [High Count of Network Connection Over Extended Period by Process](./windows/docs/high_count_of_network_connection_over_extended_period_by_process.md) (ES|QL)
- [Libraries Loaded by svchost with Low Occurrence Frequency](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md) (ES|QL)
- [Low Frequency of Process Execution via WMI by Unique Agent](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md) (ES|QL)
- [Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL)
- [Low Occurence of Process Execution via Windows Services with Unique Agent](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md) (ES|QL)
- [Low Occurrence Rate of CreateRemoteThread by Source Process](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL)
- [Low Occurrence of Drivers Loaded on Unique Hosts](./windows/docs/drivers_load_with_low_occurrence_frequency.md) (ES|QL)
- [Masquerading Attempts as Native Windows Binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL)
- [Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL)
- [Network Discovery via Sensitive Ports by Unusual Process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL)
- [PE File Transfer via SMB_Admin Shares by Agent or User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL)
- [Persistence via Run Key with Low Occurrence Frequency](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md) (ES|QL)
- [Persistence via Startup with Low Occurrence Frequency by Unique Host](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL)
- [Rare DLL Side-Loading by Occurrence](./windows/docs/detect_rare_dll_sideload_by_occurrence.md) (ES|QL)
- [Rare LSASS Process Access Attempts](./windows/docs/detect_rare_lsass_process_access_attempts.md) (ES|QL)
- [Rundll32 Execution Aggregated by Command Line](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL)
- [Scheduled Tasks Creation for Unique Hosts by Task Command](./windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md) (ES|QL)
- [Scheduled tasks Creation by Action via Registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL)
- [Startup Execution with Low Occurrence Frequency by Unique Host](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL)
- [Suspicious Base64 Encoded Powershell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL)
- [Suspicious DNS TXT Record Lookups by Process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL)
- [Unique Windows Services Creation by Service File Name](./windows/docs/unique_windows_services_creation_by_servicefilename.md) (ES|QL)
- [Windows Command and Scripting Interpreter from Unusual Parent Process](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL)
- [Windows Logon Activity by Source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL)