security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
362c459094ab9eaba574cf63fcc175fb8b322604
sigma-rules/rules/integrations/cloud_defend
T
History
Ruben Groenewoud 7c03840737 [New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. D4C Rules related to (un)authenticated API Access

* Apply suggestion from @Aegrah

* [New Rule] Kubelet Certificate File Access Detected via Defend for Containers

* [New Rule] Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected

* [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected

* [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request

* [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers

* Apply suggestion from @Aegrah

* Update execution_kubeletctl_execution.toml
2026-02-04 09:58:42 +01:00
..
command_and_control_curl_socks_proxy_detected_inside_container.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
container_workload_protection.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
credential_access_cloud_creds_search_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
credential_access_collection_sensitive_files_compression_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
credential_access_service_account_token_or_cert_read.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
discovery_dns_enumeration.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
discovery_environment_enumeration.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
discovery_kubelet_certificate_file_access.toml
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661)
2026-02-04 09:58:42 +01:00
discovery_potential_cluster_enumeration_via_jq.toml
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661)
2026-02-04 09:58:42 +01:00
discovery_service_account_namespace_read.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
discovery_suspicious_network_tool_launched_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
discovery_tool_enumeration.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_container_management_binary_launched_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_direct_interactive_kubernetes_api_request.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_interactive_exec_to_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_interactive_shell_spawned_from_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_kubeletctl_execution.toml
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661)
2026-02-04 09:58:42 +01:00
execution_netcat_listener_established_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_potential_direct_kubelet_access_via_process_args.toml
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661)
2026-02-04 09:58:42 +01:00
execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_tool_installation.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
persistence_ssh_authorized_keys_modification_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_mount_launched_inside_a_privileged_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00