security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Add Supplemental Mitre Mappings (#5876)

Browse Source 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
This commit is contained in:
Mika Ayenson, PhD
2026-04-01 09:12:42 -05:00
committed by GitHub
parent 116f48ccda
commit 8993d1450b
1131 changed files with 20130 additions and 4101 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/command_and_control_common_llm_endpoint.toml
+6 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/01"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/02/10"
updated_date = "2026/03/24"
[rule]
@@ -150,16 +150,18 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
id = "T1102.002"
name = "Bidirectional Communication"
reference = "https://attack.mitre.org/techniques/T1102/002/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml
+18 -13
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/18"
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2026/03/31"
updated_date = "2026/04/01"
[rule]
author = ["Elastic"]
@@ -123,17 +123,22 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[[rule.threat.technique.subtechnique]]
name = "Web Protocols"
id = "T1071.001"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
+12 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/19"
integration = ["endpoint", "system"]
maturity = "production"
updated_date = "2025/02/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -89,14 +89,23 @@ Google Drive is a widely-used cloud storage service that allows users to store a
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
id = "T1102.003"
name = "One-Way Communication"
reference = "https://attack.mitre.org/techniques/T1102/003/"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/command_and_control_kubectl_networking_modification.toml
+6 -6
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/26"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -125,16 +125,16 @@ process.name == "kubectl" and (
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[[rule.threat.technique]]
id = "T1090"
name = "Proxy"
reference = "https://attack.mitre.org/techniques/T1090/"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml
+6 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/18"
integration = ["endpoint", "panw"]
maturity = "production"
updated_date = "2025/11/18"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -70,6 +70,11 @@ note = """## Triage and analysis
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
+24 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/10"
integration = ["endpoint", "suricata"]
maturity = "production"
updated_date = "2026/01/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -76,7 +76,30 @@ note = """## Triage and analysis
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique]]
id = "T1571"
name = "Non-Standard Port"
reference = "https://attack.mitre.org/techniques/T1571/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/cross-platform/command_and_control_tunnel_qemu.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2026/02/09"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production"
updated_date = "2026/02/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -95,14 +95,23 @@ process where event.type == "start" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1090"
name = "Proxy"
reference = "https://attack.mitre.org/techniques/T1090/"
[[rule.threat.technique]]
id = "T1219"
name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
+31 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/10"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -139,26 +139,54 @@ file where event.action in ("open", "creation", "modification") and event.outcom
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/credential_access_gitleaks_execution.toml
+29 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/28"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2025/11/28"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -103,6 +103,16 @@ id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
@@ -112,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1555/"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.003"
name = "Code Repositories"
reference = "https://attack.mitre.org/techniques/T1213/003/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
rules/cross-platform/credential_access_trufflehog_execution.toml
+24 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2025/11/26"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -105,6 +105,16 @@ id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
@@ -114,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1555/"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+18 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/07/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/10"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -73,15 +73,31 @@ In network environments, agents are deployed on hosts to monitor and report acti
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.002"
name = "Transmitted Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/002/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -86,14 +86,18 @@ file where event.type == "deletion" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.004"
name = "File Deletion"
reference = "https://attack.mitre.org/techniques/T1070/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+14 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1489"
name = "Service Stop"
reference = "https://attack.mitre.org/techniques/T1489/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml
+24 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/17"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -81,22 +81,41 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
reference = "https://attack.mitre.org/techniques/T1027/"
[[rule.threat.technique.subtechnique]]
id = "T1027.013"
name = "Encrypted/Encoded File"
reference = "https://attack.mitre.org/techniques/T1027/013/"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/defense_evasion_genai_config_modification.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/10"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -104,29 +104,39 @@ file.path : (
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Host Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"]
maturity = "production"
updated_date = "2025/12/04"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -140,19 +140,36 @@ process where event.type == "start" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
reference = "https://attack.mitre.org/techniques/T1027/"
[[rule.threat.technique.subtechnique]]
id = "T1027.004"
name = "Compile After Delivery"
reference = "https://attack.mitre.org/techniques/T1027/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1587"
name = "Develop Capabilities"
reference = "https://attack.mitre.org/techniques/T1587/"
[[rule.threat.technique.subtechnique]]
id = "T1587.001"
name = "Malware"
reference = "https://attack.mitre.org/techniques/T1587/001/"
[rule.threat.tactic]
id = "TA0042"
name = "Resource Development"
reference = "https://attack.mitre.org/tactics/TA0042/"
rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml
+37 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2025/12/04"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -159,14 +159,49 @@ sequence by process.entity_id with maxspan=30s
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
reference = "https://attack.mitre.org/techniques/T1027/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[[rule.threat.technique.subtechnique]]
id = "T1560.001"
name = "Archive via Utility"
reference = "https://attack.mitre.org/techniques/T1560/001/"
[[rule.threat.technique.subtechnique]]
id = "T1560.002"
name = "Archive via Library"
reference = "https://attack.mitre.org/techniques/T1560/002/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1030"
name = "Data Transfer Size Limits"
reference = "https://attack.mitre.org/techniques/T1030/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
+19 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/10/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/23"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -106,3 +106,21 @@ reference = "https://attack.mitre.org/techniques/T1036/006/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"
[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/defense_evasion_potential_kubectl_impersonation.toml
+24 -11
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/26"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -127,6 +127,11 @@ not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/micro
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
@@ -137,11 +142,6 @@ id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
@@ -150,17 +150,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/cross-platform/defense_evasion_potential_kubectl_masquerading.toml
+37 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/26"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -156,7 +156,43 @@ id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[[rule.threat.technique]]
id = "T1610"
name = "Deploy Container"
reference = "https://attack.mitre.org/techniques/T1610/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
+10 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/06/30"
integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -96,34 +96,40 @@ FROM logs-* metadata _id, _version, _index
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
reference = "https://attack.mitre.org/techniques/T1027/"
[[rule.threat.technique.subtechnique]]
id = "T1027.010"
name = "Command Obfuscation"
reference = "https://attack.mitre.org/techniques/T1027/010/"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/cross-platform/discovery_kubectl_permission_discovery.toml
+6 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/26"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -119,6 +119,11 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/09/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -89,14 +89,31 @@ Virtual machine fingerprinting involves identifying virtualized environments by
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1497"
name = "Virtualization/Sandbox Evasion"
reference = "https://attack.mitre.org/techniques/T1497/"
[[rule.threat.technique.subtechnique]]
id = "T1497.001"
name = "System Checks"
reference = "https://attack.mitre.org/techniques/T1497/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
+45 -1
View File
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
maturity = "production"
min_stack_version = "9.2.0"
min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
updated_date = "2026/03/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -172,3 +172,47 @@ reference = "https://attack.mitre.org/techniques/T1083/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
+14 -1
View File
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
maturity = "production"
min_stack_version = "9.2.0"
min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
updated_date = "2026/03/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -133,3 +133,16 @@ framework = "MITRE ATT&CK"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml
+14 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/23"
integration = ["aws", "endpoint"]
maturity = "production"
updated_date = "2025/11/23"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -225,26 +225,36 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1651"
name = "Cloud Administration Command"
reference = "https://attack.mitre.org/techniques/T1651/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
+17 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/09/03"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -145,17 +145,31 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1651"
name = "Cloud Administration Command"
reference = "https://attack.mitre.org/techniques/T1651/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id"]
rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml
+6 -1
View File
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/01/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -121,6 +121,11 @@ id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml
+6 -1
View File
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/01/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -125,6 +125,11 @@ id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml
+21 -1
View File
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/05"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -145,6 +145,16 @@ id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[[rule.threat.technique]]
id = "T1610"
name = "Deploy Container"
reference = "https://attack.mitre.org/techniques/T1610/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -153,6 +163,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml
+24 -1
View File
@@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/01/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -108,6 +108,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
@@ -135,3 +140,21 @@ reference = "https://attack.mitre.org/techniques/T1613/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/cross-platform/execution_git_exploit_cve_2025_48384.toml
+32 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/12"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/11/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -88,12 +88,35 @@ sequence by host.id with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique]]
name = "Exploitation for Client Execution"
id = "T1203"
reference = "https://attack.mitre.org/techniques/T1203/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/execution_kubernetes_direct_api_request_via_curl_or_wget.toml
+24 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_clo
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/26"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -152,6 +152,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
@@ -161,3 +166,21 @@ reference = "https://attack.mitre.org/techniques/T1613/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml
+24 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/18"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/03"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -83,6 +83,11 @@ id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
@@ -123,3 +128,21 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.001"
name = "Compromise Software Dependencies and Development Tools"
reference = "https://attack.mitre.org/techniques/T1195/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/execution_openclaw_agent_child_process.toml
+57 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2026/02/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/10"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -83,36 +83,89 @@ process where event.type == "start" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.002"
name = "AppleScript"
reference = "https://attack.mitre.org/techniques/T1059/002/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.011"
name = "Rundll32"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml
+6 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/27"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/11/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -127,6 +127,11 @@ id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[[rule.threat.technique]]
id = "T1610"
name = "Deploy Container"
reference = "https://attack.mitre.org/techniques/T1610/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/cross-platform/execution_register_github_actions_runner.toml
+17 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/26"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2025/11/26"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -95,32 +95,44 @@ process where event.type == "start" and event.action in ("exec", "exec_event", "
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.002"
name = "Compromise Software Supply Chain"
reference = "https://attack.mitre.org/techniques/T1195/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1219"
name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/execution_revershell_via_shell_cmd.toml
+14 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/01/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -89,14 +89,26 @@ process where event.type in ("start", "process_started") and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1095"
name = "Non-Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1095/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/04/26"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -67,24 +67,41 @@ note = """## Triage and analysis
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/execution_sap_netweaver_webshell_exec.toml
+53 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/04/26"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -84,24 +84,74 @@ note = """## Triage and analysis
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
+25 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/12/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -109,24 +109,46 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/execution_via_github_actions_runner.toml
+50 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/26"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2025/11/26"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -99,32 +99,79 @@ process where event.type == "start" and event.action in ("exec", "exec_event", "
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.002"
name = "AppleScript"
reference = "https://attack.mitre.org/techniques/T1059/002/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
id = "T1195.002"
name = "Compromise Software Supply Chain"
reference = "https://attack.mitre.org/techniques/T1195/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.011"
name = "Rundll32"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
+43 -34
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/11/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -115,49 +115,58 @@ not process.env_vars like~ "RUNNER_TRACKING_ID=github_*"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Initial Access"
id = "TA0001"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat.technique]]
id = "T1195"
name = "Supply Chain Compromise"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique]]
name = "Supply Chain Compromise"
id = "T1195"
reference = "https://attack.mitre.org/techniques/T1195/"
[[rule.threat.technique.subtechnique]]
name = "Compromise Software Dependencies and Development Tools"
id = "T1195.001"
reference = "https://attack.mitre.org/techniques/T1195/001/"
[[rule.threat.technique.subtechnique]]
id = "T1195.001"
name = "Compromise Software Dependencies and Development Tools"
reference = "https://attack.mitre.org/techniques/T1195/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique]]
name = "Impair Defenses"
id = "T1562"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1036.009"
name = "Break Process Trees"
reference = "https://attack.mitre.org/techniques/T1036/009/"
[[rule.threat.technique.subtechnique]]
name = "Disable or Modify Tools"
id = "T1562.001"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/exfiltration_potential_curl_data_exfiltration.toml
+19 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/29"
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
maturity = "production"
updated_date = "2026/03/25"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -130,12 +130,22 @@ not process.args : ("https://*/ap/fleet/*", "https://*/api/saved_objects/*", "ht
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Exfiltration"
id = "TA0010"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat.technique]]
id = "T1048"
name = "Exfiltration Over Alternative Protocol"
reference = "https://attack.mitre.org/techniques/T1048/"
[[rule.threat.technique]]
name = "Exfiltration Over Alternative Protocol"
id = "T1048"
reference = "https://attack.mitre.org/techniques/T1048/"
[[rule.threat.technique.subtechnique]]
id = "T1048.001"
name = "Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
reference = "https://attack.mitre.org/techniques/T1048/001/"
[[rule.threat.technique.subtechnique]]
id = "T1048.003"
name = "Exfiltration Over Unencrypted Non-C2 Protocol"
reference = "https://attack.mitre.org/techniques/T1048/003/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
+75 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/12/04"
integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -127,3 +127,77 @@ reference = "https://attack.mitre.org/techniques/T1190/"
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1095"
name = "Non-Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1095/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[[rule.threat.technique.subtechnique]]
id = "T1059.011"
name = "Lua"
reference = "https://attack.mitre.org/techniques/T1059/011/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml
+17 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature."
min_stack_version = "9.2.0"
updated_date = "2025/11/11"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -81,34 +81,47 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1091"
name = "Replication Through Removable Media"
reference = "https://attack.mitre.org/techniques/T1091/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1052"
name = "Exfiltration Over Physical Medium"
reference = "https://attack.mitre.org/techniques/T1052/"
[[rule.threat.technique.subtechnique]]
id = "T1052.001"
name = "Exfiltration over USB"
reference = "https://attack.mitre.org/techniques/T1052/001/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1091"
name = "Replication Through Removable Media"
reference = "https://attack.mitre.org/techniques/T1091/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.new_terms]
field = "new_terms_fields"
value = ["device.serial_number", "host.id"]
rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml
+14 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/27"
integration = ["endpoint", "network_traffic"]
maturity = "production"
updated_date = "2025/12/08"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/initial_access_ollama_api_external_access.toml
+7 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2026/01/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/01/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -89,14 +89,18 @@ network where event.action == "connection_accepted" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
+7 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/14"
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,14 +72,18 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/persistence_web_server_potential_command_injection.toml
+70 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2025/11/19"
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
maturity = "production"
updated_date = "2026/03/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -185,6 +185,16 @@ id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[[rule.threat.technique.subtechnique]]
id = "T1059.011"
name = "Lua"
reference = "https://attack.mitre.org/techniques/T1059/011/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -198,6 +208,11 @@ id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
@@ -225,3 +240,57 @@ reference = "https://attack.mitre.org/techniques/T1595/003/"
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.008"
name = "/etc/passwd and /etc/shadow"
reference = "https://attack.mitre.org/techniques/T1003/008/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -72,19 +72,36 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+19 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/23"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -111,3 +111,21 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/02/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/02/04"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -88,17 +88,26 @@ Sudo is a critical utility in Unix-like systems, allowing users to execute comma
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.threshold]
field = ["host.hostname"]
value = 100
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+19 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/23"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/"
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/privilege_escalation_trap_execution.toml
+19 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/24"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2026/01/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -84,3 +84,21 @@ reference = "https://attack.mitre.org/techniques/T1546/005/"
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.005"
name = "Trap"
reference = "https://attack.mitre.org/techniques/T1546/005/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/integrations/aws/collection_cloudtrail_logging_created.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -91,17 +91,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
+15 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2024/12/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -121,42 +121,52 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1619"
name = "Cloud Storage Object Discovery"
reference = "https://attack.mitre.org/techniques/T1619/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/10"
integration = ["aws"]
maturity = "production"
updated_date = "2025/06/04"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -95,22 +95,39 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"]
rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/20"
integration = ["aws"]
maturity = "production"
updated_date = "2025/11/04"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -78,17 +78,34 @@ iam where event.dataset == "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
+24 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -101,19 +101,42 @@ framework = "MITRE ATT&CK"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/11"
integration = ["aws"]
maturity = "production"
updated_date = "2025/11/07"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -130,22 +130,39 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[[rule.threat.technique.subtechnique]]
id = "T1555.006"
name = "Cloud Secrets Management Stores"
reference = "https://attack.mitre.org/techniques/T1555/006/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.006"
name = "Databases"
reference = "https://attack.mitre.org/techniques/T1213/006/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.threshold]
field = ["user.id"]
value = 1
rules/integrations/aws/credential_access_root_console_failure_brute_force.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/21"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -132,17 +132,21 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
reference = "https://attack.mitre.org/techniques/T1110/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = ["cloud.account.id"]
value = 10
rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
+7 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -82,22 +82,26 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
+7 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -83,22 +83,26 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2026/02/05"
integration = ["aws"]
maturity = "production"
updated_date = "2026/02/05"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -116,22 +116,31 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_rds_instance_restored.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/06/29"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Austin Songer", "Elastic"]
@@ -153,10 +153,12 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.002"
name = "Create Cloud Instance"
@@ -167,13 +169,28 @@ id = "T1578.004"
name = "Revert Cloud Instance"
reference = "https://attack.mitre.org/techniques/T1578/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1074"
name = "Data Staged"
reference = "https://attack.mitre.org/techniques/T1074/"
[[rule.threat.technique.subtechnique]]
id = "T1074.002"
name = "Remote Data Staging"
reference = "https://attack.mitre.org/techniques/T1074/002/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
+10 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/27"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -122,6 +122,7 @@ event.dataset:aws.cloudtrail and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
@@ -131,30 +132,34 @@ reference = "https://attack.mitre.org/techniques/T1070/"
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1490"
name = "Inhibit System Recovery"
reference = "https://attack.mitre.org/techniques/T1490/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_sqs_purge_queue.toml
+15 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/08"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -99,22 +99,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
+15 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2025/07/10"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -100,19 +100,31 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.007"
name = "Disable or Modify Cloud Firewall"
reference = "https://attack.mitre.org/techniques/T1562/007/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml
+15 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/16"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -115,34 +115,44 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.003"
name = "Cloud Groups"
reference = "https://attack.mitre.org/techniques/T1069/003/"
[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.004"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1087/004/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = ["cloud.account.id", "user.name", "source.ip"]
value = 25
rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml
+7 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -210,17 +210,21 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"
[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.investigation_fields]
field_names = [
"Esql.event_action_count_distinct",
rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
+8 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/24"
integration = ["aws"]
maturity = "production"
updated_date = "2025/08/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -116,10 +116,17 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"
[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.004"
name = "Cloud Account"
@@ -129,7 +136,6 @@ reference = "https://attack.mitre.org/techniques/T1087/004/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.arn"]
rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
+7 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2024/08/26"
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -146,17 +146,21 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"
[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.investigation_fields]
field_names = [
"Esql.cloud_region_count_distinct",
rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2026/02/11"
integration = ["aws"]
maturity = "production"
updated_date = "2026/02/18"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -124,6 +124,12 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique]]
id = "T1538"
name = "Cloud Service Dashboard"
@@ -138,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1580/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["cloud.account.id", "user.name"]
rules/integrations/aws/execution_cloudshell_environment_created.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2026/03/12"
integration = ["aws"]
maturity = "production"
updated_date = "2026/03/12"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -104,22 +104,39 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.009"
name = "Cloud API"
reference = "https://attack.mitre.org/techniques/T1059/009/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/30"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -107,17 +107,34 @@ event.dataset: aws.cloudtrail
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/25"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -101,11 +101,16 @@ framework = "MITRE ATT&CK"
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[[rule.threat.technique]]
id = "T1651"
name = "Cloud Administration Command"
reference = "https://attack.mitre.org/techniques/T1651/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["cloud.account.id", "user.name"]
rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
+9 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/13"
integration = ["aws"]
maturity = "production"
updated_date = "2025/09/08"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -82,29 +82,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
+15 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/13"
integration = ["aws"]
maturity = "production"
updated_date = "2025/09/08"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -73,22 +73,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_ec2_export_task.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/10/23"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -100,18 +100,30 @@ event.dataset: "aws.cloudtrail" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
@@ -127,12 +139,10 @@ id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+18 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -122,6 +122,7 @@ event.dataset: "aws.cloudtrail" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1020"
name = "Automated Exfiltration"
@@ -132,36 +133,49 @@ id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1074"
name = "Data Staged"
reference = "https://attack.mitre.org/techniques/T1074/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1040"
name = "Network Sniffing"
reference = "https://attack.mitre.org/techniques/T1040/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1040"
name = "Network Sniffing"
reference = "https://attack.mitre.org/techniques/T1040/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_rds_snapshot_export.toml
+14 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2021/06/06"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -151,28 +151,38 @@ event.dataset: aws.cloudtrail
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1213"
name = "Data from Information Repositories"
reference = "https://attack.mitre.org/techniques/T1213/"
[[rule.threat.technique.subtechnique]]
id = "T1213.006"
name = "Databases"
reference = "https://attack.mitre.org/techniques/T1213/006/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
+16 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -148,29 +148,42 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/12"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -148,17 +148,26 @@ info where event.dataset == "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml
+15 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2026/02/09"
integration = ["aws"]
maturity = "production"
updated_date = "2026/02/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -109,22 +109,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml
+25 -6
View File
@@ -2,12 +2,12 @@
creation_date = "2024/11/01"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
description = """
Identifies when a use subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user.
Identifies when a user subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user.
"""
false_positives = [
"""
@@ -88,46 +88,65 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1496"
name = "Resource Hijacking"
reference = "https://attack.mitre.org/techniques/T1496/"
[[rule.threat.technique.subtechnique]]
id = "T1496.004"
name = "Cloud Service Hijacking"
reference = "https://attack.mitre.org/techniques/T1496/004/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique.subtechnique]]
id = "T1102.003"
name = "One-Way Communication"
reference = "https://attack.mitre.org/techniques/T1102/003/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/10/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Austin Songer", "Elastic"]
@@ -121,17 +121,34 @@ event.dataset: aws.cloudtrail
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1489"
name = "Service Stop"
reference = "https://attack.mitre.org/techniques/T1489/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml
+11 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/01"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -111,18 +111,25 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1657"
name = "Financial Theft"
reference = "https://attack.mitre.org/techniques/T1657/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"
[[rule.threat.technique]]
id = "T1619"
name = "Cloud Storage Object Discovery"
@@ -132,20 +139,19 @@ reference = "https://attack.mitre.org/techniques/T1619/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.threshold]
field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"]
value = 1
rules/integrations/aws/impact_cloudtrail_logging_updated.toml
+22 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -87,34 +87,52 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
+9 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/18"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -151,34 +151,39 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
+9 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -138,34 +138,39 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique.subtechnique]]
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
+20 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/05"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -125,22 +125,39 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/06/02"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -116,6 +116,7 @@ info where event.dataset == "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
@@ -126,12 +127,28 @@ id = "T1490"
name = "Inhibit System Recovery"
reference = "https://attack.mitre.org/techniques/T1490/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
+22 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -116,34 +116,52 @@ event.dataset: aws.cloudtrail
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1531"
name = "Account Access Removal"
reference = "https://attack.mitre.org/techniques/T1531/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.006"
name = "Multi-Factor Authentication"
reference = "https://attack.mitre.org/techniques/T1556/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.006"
name = "Multi-Factor Authentication"
reference = "https://attack.mitre.org/techniques/T1556/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/09/21"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Xavier Pich"]
@@ -145,17 +145,21 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique.subtechnique]]
id = "T1485.001"
name = "Lifecycle-Triggered Deletion"
reference = "https://attack.mitre.org/techniques/T1485/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/28"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/21"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -124,17 +124,34 @@ any where event.dataset == "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1578"
name = "Modify Cloud Compute Infrastructure"
reference = "https://attack.mitre.org/techniques/T1578/"
[[rule.threat.technique.subtechnique]]
id = "T1578.005"
name = "Modify Cloud Compute Configurations"
reference = "https://attack.mitre.org/techniques/T1578/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_rds_snapshot_deleted.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/29"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -154,17 +154,21 @@ any where event.dataset == "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1490"
name = "Inhibit System Recovery"
reference = "https://attack.mitre.org/techniques/T1490/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/02/19"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -148,6 +148,7 @@ field_names = [
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
@@ -156,10 +157,19 @@ reference = "https://attack.mitre.org/techniques/T1485/"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
reference = "https://attack.mitre.org/techniques/T1486/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
+13 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/15"
integration = ["aws"]
maturity = "production"
updated_date = "2025/12/09"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -122,10 +122,22 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1491"
name = "Defacement"
reference = "https://attack.mitre.org/techniques/T1491/"
[[rule.threat.technique.subtechnique]]
id = "T1491.002"
name = "External Defacement"
reference = "https://attack.mitre.org/techniques/T1491/002/"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
@@ -135,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1565/001/"
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
+19 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/15"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -105,17 +105,34 @@ event.dataset: "aws.cloudtrail"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.investigation_fields]
field_names = [
"@timestamp",

Some files were not shown because too many files have changed in this diff Show More