security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
166da4556112041f8ab69b0b127494da054713c8
sigma-rules/rules/cross-platform
T
History
Samirbous 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) 
* [New] Multiple Cloud Secrets Accessed by Source Address

This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source
address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt
to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid
succession to expand their access or exfiltrate sensitive information.

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/cross-platform/credential_access_multi_could_secrets_via_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

* Update credential_access_multi_could_secrets_via_api.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2025-12-04 18:04:25 +00:00
..
command_and_control_curl_wget_spawn_via_nodejs_parent.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_non_standard_ssh_port.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_pan_elastic_defend_c2.toml
[New] PANW Command and Control Correlation (#5331)
2025-11-24 14:01:52 +00:00
command_and_control_socks_fortigate_endpoint.toml
[New] SOCKS Traffic from an Unusual Process (#5324)
2025-11-24 13:18:30 +00:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_gitleaks_execution.toml
[New Rule] Potential Secret Scanning via Gitleaks (#5377)
2025-12-02 09:42:19 +01:00
credential_access_multi_could_secrets_via_api.toml
[New] Multiple Cloud Secrets Accessed by Source Address (#5388)
2025-12-04 18:04:25 +00:00
credential_access_trufflehog_execution.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
defense_evasion_agent_spoofing_mismatched_id.toml
Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312)
2025-11-13 17:26:29 +00:00
defense_evasion_agent_spoofing_multiple_hosts.toml
[Tuning] Agent Spoofing - Multiple Hosts Using Same Agent (#5313)
2025-11-24 12:59:49 +00:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Elastic Agent Service Terminated (#5272)
2025-11-12 08:34:34 -03:00
defense_evasion_encoding_rot13_python_script.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_masquerading_space_after_filename.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_potential_http_downgrade_attack.toml
[New Rule] Potential HTTP Downgrade Attack (#5372)
2025-12-04 16:23:38 +01:00
defense_evasion_timestomp_touch.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_whitespace_padding_command_line.toml
[New] Command Line Obfuscation via Whitespace Padding (#4860)
2025-08-18 15:26:52 +01:00
discovery_security_software_grep.toml
[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)
2024-10-18 16:38:14 +02:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_git_exploit_cve_2025_48384.toml
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301)
2025-11-12 15:45:52 +01:00
execution_nodejs_pre_or_post_install_script_execution.toml
[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403)
2025-12-04 09:07:12 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_privileged_container_creation_with_host_reference.toml
[New Rule] Privileged Container Creation with Host Directory Mount (#5373)
2025-12-02 09:33:16 +01:00
execution_register_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
execution_via_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370)
2025-12-02 10:22:24 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_hosts_file_modified.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4946)
2025-07-31 09:57:02 -04:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_file_upload_followed_by_get_request.toml
[New Rule] Initial Access via File Upload Followed by GET Request (#5371)
2025-12-04 16:10:13 +01:00
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_elastic_defend_netsecurity_by_host.toml
Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375)
2025-12-01 07:18:19 -08:00
multiple_alerts_email_elastic_defend_correlation.toml
[New] Elastic Defend and Email Alerts Correlation (#5336)
2025-11-24 22:26:00 +05:30
multiple_alerts_involving_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_risky_host_esql.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
persistence_credential_access_modify_auth_module_or_config.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_shell_profile_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_ssh_authorized_keys_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_web_server_potential_command_injection.toml
[Rule Tunings] Misc. Web Server Rules (#5384)
2025-12-02 09:21:16 +01:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Sudoers File Modification (#4904)
2025-07-16 10:17:51 +02:00
reconnaissance_web_server_discovery_or_fuzzing_activity.toml
[Rule Tunings] Misc. Web Server Rules (#5384)
2025-12-02 09:21:16 +01:00
reconnaissance_web_server_unusual_spike_in_error_logs.toml
[Rule Tunings] Misc. Web Server Rules (#5384)
2025-12-02 09:21:16 +01:00
reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
[Rule Tunings] Misc. Web Server Rules (#5384)
2025-12-02 09:21:16 +01:00
reconnaissance_web_server_unusual_user_agents.toml
[Rule Tunings] Misc. Web Server Rules (#5384)
2025-12-02 09:21:16 +01:00