security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a69c19c836e9fd08ee8d310ac3f9e4e3912f177
sigma-rules/rules/integrations/aws
T
History
Terrance DeJesus 62eea772d0 [New Rule] AWS S3 Bucket Ransom Note Uploaded (#3604) 
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'

* fixed technique mapping

* added investigation guide; added more ransom note extensions

* adjusted lookback and maxspan

* added  API call to second sequence

* updating date

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* changed rule to ESQL; updated investigation guide

* changed file name

* removed txt, ecc, and note

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2024-06-10 10:47:20 -04:00
..
collection_cloudtrail_logging_created.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_aws_getpassword_for_ec2_instance.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_aws_iam_assume_role_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_iam_user_addition_to_group.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_new_terms_secretsmanager_getsecretvalue.toml
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589)
2024-06-04 09:20:04 -04:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589)
2024-06-04 09:20:04 -04:00
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag (#3590)
2024-06-05 10:22:38 -04:00
credential_access_root_console_failure_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudtrail_logging_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudtrail_logging_suspended.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudwatch_alarm_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_config_service_rule_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_configuration_recorder_stopped.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_ec2_flow_log_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_ec2_network_acl_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_elasticache_security_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_elasticache_security_group_modified_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_escalation_aws_suspicious_saml_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_guardduty_detector_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_route53_dns_query_resolver_config_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_s3_bucket_configuration_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3700)
2024-05-21 16:33:17 -05:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599)
2024-05-28 10:49:20 -04:00
defense_evasion_waf_acl_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_waf_rule_or_rule_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_new_terms_sts_getcalleridentity.toml
[New Rule] AWS GetCallerIdentity API Called for the First Time (#3711)
2024-05-31 17:55:06 -04:00
execution_lambda_external_layer_added_to_function.toml
[New Rule] AWS Lambda Layer Added to Existing Function (#3631)
2024-06-02 08:41:04 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[New Rule] AWS EC2 EBS Snapshot Shared with Another Account (#3601)
2024-06-02 10:30:08 -04:00
exfiltration_ec2_full_network_packet_capture_detected.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_snapshot_change_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_vm_export_failure.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_rds_snapshot_export.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_rds_snapshot_restored.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[New Rule] AWS S3 Bucket Policy Added to Share with External Account (#3603)
2024-06-01 10:31:41 -04:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[New Rule] AWS S3 Bucket Enumeration or Brute Force (#3635)
2024-05-01 15:00:33 -06:00
impact_cloudtrail_logging_updated.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_stream_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_ec2_disable_ebs_encryption.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_efs_filesystem_or_mount_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_iam_deactivate_mfa_device.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_iam_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_instance_cluster_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_instance_cluster_stoppage.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_s3_bucket_object_uploaded_with_ransom_extension.toml
[New Rule] AWS S3 Bucket Ransom Note Uploaded (#3604)
2024-06-10 10:47:20 -04:00
initial_access_console_login_root.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_password_recovery.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_via_system_manager.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598)
2024-05-28 11:23:17 -04:00
ml_cloudtrail_error_message_spike.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
ml_cloudtrail_rare_error_code.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
ml_cloudtrail_rare_method_by_city.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
ml_cloudtrail_rare_method_by_country.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
ml_cloudtrail_rare_method_by_user.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_ec2_network_acl_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_ec2_security_group_configuration_change_detection.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_iam_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_iam_roles_anywhere_profile_created.toml
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created (#3609)
2024-06-05 10:10:53 -04:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created (#3609)
2024-06-05 10:10:53 -04:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation (#3632)
2024-06-03 11:42:38 -04:00
persistence_rds_cluster_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_rds_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_rds_instance_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_redshift_instance_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_domain_transfer_lock_disabled.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_domain_transferred_to_another_account.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_table_created.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_table_modified_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) (#3735)
2024-06-07 18:31:06 -04:00
privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) (#3735)
2024-06-07 18:31:06 -04:00
privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) (#3735)
2024-06-07 18:31:06 -04:00
privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded (#3634)
2024-06-05 10:33:42 -04:00
privilege_escalation_root_login_without_mfa.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sts_assumerole_usage.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sts_getsessiontoken_abuse.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_updateassumerolepolicy.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30