security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ed322f8d99157efdc7d2cd487c28f70cff001ee
sigma-rules/rules/integrations/aws
T
History
Isai 1ed322f8d9 [Rule Tuning] AWS SSM SendCommand Execution by Rare User (#4828) 
Rule is triggering as expected, very low instances of alerts in telemetry
- adjusted execution window
- slight edits to IG for accuracy
- removed exclusion `and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*` from the query. This is a service-linked role meant to be used by AWS internal services. Therefore, the existing exclusion `and not source.address: "ssm.amazonaws.com"` already excludes the use of this role by the SSM service. I show this in the screenshot below. This will remove the use of wildcards in the query and improve performance.
- changed the new terms fields to use combination of `cloud.account.id` and `user.name` so that only roles (and not individual role sessions) are being evaluated. adding `cloud.account.id` accounts for duplicate user.names across multiple accounts.
2025-06-24 17:22:20 -04:00
..
collection_cloudtrail_logging_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
collection_s3_unauthenticated_bucket_access_by_rare_source.toml
[FR] Add Remaining Guides (#4412)
2025-01-22 14:43:30 -06:00
credential_access_aws_getpassword_for_ec2_instance.toml
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)
2025-06-06 15:08:48 -04:00
credential_access_aws_iam_assume_role_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_iam_user_addition_to_group.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_new_terms_secretsmanager_getsecretvalue.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[Rule Tuning] December-January AWS Rule Tuning (#4425)
2025-01-31 10:35:18 -05:00
credential_access_root_console_failure_brute_force.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_cloudtrail_logging_deleted.toml
[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261)
2024-11-08 23:11:18 -05:00
defense_evasion_cloudtrail_logging_evasion.toml
[New Rule] AWS CloudTrail Log Evasion (#4788)
2025-06-17 13:58:26 -04:00
defense_evasion_cloudtrail_logging_suspended.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudwatch_alarm_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_config_service_rule_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_configuration_recorder_stopped.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_ec2_flow_log_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_ec2_network_acl_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_elasticache_security_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_guardduty_detector_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_rds_instance_restored.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_configuration_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_sqs_purge_queue.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_sts_get_federation_token.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_waf_acl_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ec2_deprecated_ami_discovery.toml
[Rule Tuning] AWS EC2 Deprecated AMI Discovery (#4784)
2025-06-17 13:19:22 -04:00
discovery_ec2_multi_region_describe_instances.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ec2_multiple_discovery_api_calls_via_cli.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
discovery_ec2_userdata_request_for_ec2_instance.toml
[Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance (#4808)
2025-06-17 14:51:18 -04:00
discovery_new_terms_sts_getcalleridentity.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
discovery_servicequotas_multi_region_service_quota_requests.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_lambda_external_layer_added_to_function.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_new_terms_cloudformation_createstack.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_ssm_command_document_created_by_rare_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_ssm_sendcommand_by_rare_user.toml
[Rule Tuning] AWS SSM SendCommand Execution by Rare User (#4828)
2025-06-24 17:22:20 -04:00
exfiltration_dynamodb_scan_by_unusual_user.toml
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535)
2025-03-21 10:05:24 -04:00
exfiltration_dynamodb_table_exported_to_s3.toml
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535)
2025-03-21 10:05:24 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules (#4763)
2025-06-04 10:49:52 -04:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_ec2_snapshot_change_activity.toml
[Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules (#4763)
2025-06-04 10:49:52 -04:00
exfiltration_ec2_vm_export_failure.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_rds_snapshot_export.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_rds_snapshot_shared_with_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_sns_email_subscription_by_rare_user.toml
[New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458)
2025-02-20 10:53:36 -05:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_aws_s3_bucket_enumeration_or_brute_force.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
impact_cloudtrail_logging_updated.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_stream_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_ec2_disable_ebs_encryption.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_ec2_ebs_snapshot_access_removed.toml
[Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules (#4763)
2025-06-04 10:49:52 -04:00
impact_efs_filesystem_or_mount_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_iam_deactivate_mfa_device.toml
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210)
2024-11-05 02:09:05 -05:00
impact_iam_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion_protection_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_stoppage.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_snapshot_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_s3_bucket_object_uploaded_with_ransom_extension.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
impact_s3_excessive_object_encryption_with_sse_c.toml
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377)
2025-01-15 14:11:58 -05:00
impact_s3_object_encryption_with_external_key.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
impact_s3_object_versioning_disabled.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
impact_s3_static_site_js_file_uploaded.toml
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded (#4617)
2025-04-30 16:25:03 -04:00
impact_s3_unusual_object_encryption_with_sse_c.toml
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377)
2025-01-15 14:11:58 -05:00
initial_access_console_login_root.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_iam_session_token_used_from_multiple_addresses.toml
[Tuning] AWS Access Token Used from Multiple Addresses (#4753)
2025-06-02 11:32:05 -04:00
initial_access_kali_user_agent_detected_with_aws_cli.toml
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625)
2025-04-21 12:06:57 -04:00
initial_access_password_recovery.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_signin_console_login_no_mfa.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_ec2_instance_console_login.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_sns_topic_message_publish_by_rare_user.toml
[New Rule] Adding Coverage for SNS Topic Message Publish by Rare User (#4350)
2025-01-15 13:55:45 -05:00
ml_cloudtrail_error_message_spike.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_error_code.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_city.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_country.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_user.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_aws_attempt_to_register_virtual_mfa_device.toml
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626)
2025-04-21 11:02:14 -04:00
persistence_ec2_network_acl_creation.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
persistence_ec2_route_table_modified_or_deleted.toml
Fix remaining Replace master doc URLs with current (#4441)
2025-02-03 23:03:20 +05:30
persistence_ec2_security_group_configuration_change_detection.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_api_calls_via_user_session_token.toml
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens (#4628)
2025-04-24 15:39:51 -04:00
persistence_iam_create_login_profile_for_root.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_roles_anywhere_profile_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_user_created_access_keys_for_another_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_cluster_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_db_instance_password_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_made_public.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_redshift_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transfer_lock_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transferred_to_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_table_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_sts_assume_role_with_new_mfa.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_iam_saml_provider_updated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_iam_update_assume_role_policy.toml
[Rule Tuning] AWS IAM Assume Role Policy Update (#4799)
2025-06-17 15:03:55 -04:00
privilege_escalation_role_assumption_by_service.toml
[Rule Tuning] December-January AWS Rule Tuning (#4425)
2025-01-31 10:35:18 -05:00
privilege_escalation_role_assumption_by_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_root_login_without_mfa.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sts_getsessiontoken_abuse.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sts_role_chaining.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
resource_development_sns_topic_created_by_rare_user.toml
[New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455)
2025-02-20 10:05:40 -05:00