security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
09a3c0c813c4820a803a23bd502ed5c6561366e1
sigma-rules/rules/cross-platform
T
History
Samirbous 09a3c0c813 [New] Potential Credential Discovery via Recursive Grep (#5882) 
* [New] Potential Credential Discovery via Recursive Grep

Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials,
keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process, and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same bucket, to reduce noise from one-off searches.

* Update credential_access_grep_recursive_credential_discovery.toml

* Update rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/credential_access_grep_recursive_credential_discovery.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_grep_recursive_credential_discovery.toml

* Update credential_access_grep_recursive_credential_discovery.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-03-26 11:27:33 +00:00
..
command_and_control_common_llm_endpoint.toml
[tuning] LLM DNS queries (#5709)
2026-02-13 13:54:52 +00:00
command_and_control_curl_wget_spawn_via_nodejs_parent.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
command_and_control_genai_process_suspicious_tld_connection.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
command_and_control_genai_process_unusual_domain.toml
[Rule Tuning] Misc GenAI Tuning (#5825)
2026-03-11 11:46:33 -05:00
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_pan_elastic_defend_c2.toml
[New] PANW Command and Control Correlation (#5331)
2025-11-24 14:01:52 +00:00
command_and_control_socks_fortigate_endpoint.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
command_and_control_suricata_elastic_defend_c2.toml
[Tuning] Suricata and Elastic Defend Network Correlation (#5583)
2026-01-23 12:02:25 +00:00
command_and_control_tunnel_qemu.toml
[Tuning/New] Solarwinds Post Exploit (#5696)
2026-02-09 13:57:52 +00:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_genai_process_sensitive_file_access.toml
[Rule Tuning] Misc GenAI Tuning (#5825)
2026-03-11 11:46:33 -05:00
credential_access_gitleaks_execution.toml
[New Rule] Potential Secret Scanning via Gitleaks (#5377)
2025-12-02 09:42:19 +01:00
credential_access_grep_recursive_credential_discovery.toml
[New] Potential Credential Discovery via Recursive Grep (#5882)
2026-03-26 11:27:33 +00:00
credential_access_multi_could_secrets_via_api.toml
Update credential_access_multi_could_secrets_via_api.toml (#5618)
2026-01-26 15:21:18 +00:00
credential_access_trufflehog_execution.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
defense_evasion_agent_spoofing_multiple_hosts.toml
Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446)
2025-12-12 17:47:11 +00:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Misc Rule Tuning (#5858)
2026-03-23 13:01:06 -03:00
defense_evasion_encoding_rot13_python_script.toml
[Rule Tuning] Misc Rule Tuning (#5858)
2026-03-23 13:01:06 -03:00
defense_evasion_genai_config_modification.toml
[Rule Tuning] Misc GenAI Tuning (#5825)
2026-03-11 11:46:33 -05:00
defense_evasion_genai_process_compiling_executables.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_genai_process_encoding_prior_to_network_activity.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_masquerading_space_after_filename.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_missing_events_after_alert.toml
[Tuning] Mis Rules Tuning (#5817)
2026-03-23 10:49:23 +00:00
defense_evasion_potential_http_downgrade_attack.toml
[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837)
2026-03-17 17:28:47 +01:00
defense_evasion_processes_with_trailing_spaces.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
defense_evasion_timestomp_touch.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_whitespace_padding_command_line.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
discovery_security_software_grep.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_web_server_local_file_inclusion_activity.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00
discovery_web_server_remote_file_inclusion_activity.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00
execution_aws_ec2_lolbin_via_ssm.toml
[New Rule] AWS EC2 LOLBin Execution via SSM (#5354)
2025-12-05 16:14:33 -05:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml
[New/Tuning] TeamPCP Simulation - New & Tuned Rules (#5812)
2026-03-09 17:03:39 +01:00
execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_git_exploit_cve_2025_48384.toml
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301)
2025-11-12 15:45:52 +01:00
execution_nodejs_pre_or_post_install_script_execution.toml
[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403)
2025-12-04 09:07:12 -05:00
execution_openclaw_agent_child_process.toml
[Rule Tuning] Misc GenAI Tuning (#5825)
2026-03-11 11:46:33 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_privileged_container_creation_with_host_reference.toml
[New Rule] Privileged Container Creation with Host Directory Mount (#5373)
2025-12-02 09:33:16 +01:00
execution_register_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_sap_netweaver_jsp_webshell.toml
[New] Potential SAP NetWeaver Exploitation rules (#4666)
2026-01-22 12:58:02 -06:00
execution_sap_netweaver_webshell_exec.toml
[New] Potential SAP NetWeaver Exploitation rules (#4666)
2026-01-22 12:58:02 -06:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
execution_via_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370)
2025-12-02 10:22:24 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_alert_from_a_process_with_cpu_spike.toml
[Tuning] Mis Rules Tuning (#5817)
2026-03-23 10:49:23 +00:00
impact_alerts_on_host_with_cpu_spike.toml
Update impact_alerts_on_host_with_cpu_spike.toml (#5789)
2026-02-27 08:56:27 +00:00
impact_hosts_file_modified.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
impact_newly_observed_process_with_high_cpu.toml
[New] Newly Observed Process Exhibiting CPU Spike (#5635)
2026-01-28 17:38:22 +00:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_elastic_defend_alert_genai_utility_descendant.toml
[New] Elastic Defend Alert from GenAI Utility or Descendant (#5793)
2026-03-09 15:53:25 +00:00
initial_access_execution_susp_react_serv_child.toml
Update initial_access_execution_susp_react_serv_child.toml (#5503)
2026-01-01 15:27:33 -03:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_file_upload_followed_by_get_request.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml
[Tuning] Mis Rules Tuning (#5817)
2026-03-23 10:49:23 +00:00
initial_access_ollama_api_external_access.toml
[New Rules] Ollama Detections (#5546)
2026-01-12 11:05:15 -06:00
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_multi_alerts_new_srcip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
lateral_movement_multi_alerts_new_userid.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_by_host_ip_and_source_ip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_edr_elastic_same_process_tree.toml
[New] Multiple Elastic Defend Alerts from Single Process Tree (#5522)
2026-01-02 15:13:25 +00:00
multiple_alerts_elastic_defend_netsecurity_by_host.toml
[Tuning] Adds host metadata to the setup requirements (#5719)
2026-02-18 17:04:40 +00:00
multiple_alerts_email_elastic_defend_correlation.toml
[Tuning] Elastic Defend and Email Alerts Correlation (#5459)
2025-12-15 15:33:10 +00:00
multiple_alerts_from_different_modules_by_dstip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_from_different_modules_by_srcip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_from_different_modules_by_user.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_involving_user.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_llm_attack_chain_triage_by_host.toml
[Rule Tuning] LLM Completion Rules (#5744)
2026-02-20 14:43:12 -06:00
multiple_alerts_llm_by_user_entity.toml
[New] Correlated Alerts on Similar User Identities (#5726)
2026-02-20 15:57:34 +00:00
multiple_alerts_llm_compromised_user_triage.toml
[Rule Tuning] LLM Completion Rules (#5744)
2026-02-20 14:43:12 -06:00
multiple_alerts_risky_host_esql.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_same_tactic_by_host.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_elastic_defend_behavior_rules_same_host_prevalence.toml
[New] Multiple Rare Elastic Defend Behavior Rules by Host (#5738)
2026-02-20 09:40:42 +00:00
multiple_external_edr_alerts_by_host.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_machine_learning_jobs_by_entity.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_vulnerabilities_wiz_by_container.toml
[New] Multiple Vulnerabilities by Asset via Wiz (#5598)
2026-01-26 17:26:17 +00:00
newly_observed_elastic_defend_alert.toml
[Tuning] ESQL Dynamic unique value fields (#5569)
2026-01-26 16:34:16 +00:00
newly_observed_elastic_detection_rule.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
newly_observed_fortigate_alert.toml
[Tuning] Newly Seen FG or Suricata alert (#5734)
2026-02-23 08:35:38 +00:00
newly_observed_panos_alert.toml
[New] Newly Observed Network Alert (#5585)
2026-01-23 12:22:21 +00:00
newly_observed_suricata_alert.toml
[Tuning] Newly Seen FG or Suricata alert (#5734)
2026-02-23 08:35:38 +00:00
persistence_shell_profile_modification.toml
[Tuning] Diverse Rules Tuning (#5482)
2025-12-18 15:30:12 +00:00
persistence_ssh_authorized_keys_modification.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
persistence_web_server_potential_command_injection.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_sudo_buffer_overflow.toml
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_trap_execution.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
reconnaissance_web_server_discovery_or_fuzzing_activity.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00
reconnaissance_web_server_unusual_spike_in_error_logs.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00
reconnaissance_web_server_unusual_user_agents.toml
[Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849)
2026-03-19 14:43:34 +01:00