security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
581ef73bc0b69e5fb32da401684f313424e77b47
sigma-rules/rules/integrations/aws
T
History
Isai b6847c7a48 [New Rule] AWS STS Role Chaining (#4209) 
* [New Rule] AWS STS Role Chaining

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.

* adding metadata query fields

* removing index field
2024-10-30 12:18:04 -04:00
..
collection_cloudtrail_logging_created.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_aws_getpassword_for_ec2_instance.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_aws_iam_assume_role_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910)
2024-08-01 00:30:02 -04:00
credential_access_iam_user_addition_to_group.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_new_terms_secretsmanager_getsecretvalue.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
credential_access_retrieve_secure_string_parameters_via_ssm.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
credential_access_root_console_failure_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudtrail_logging_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudtrail_logging_suspended.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudwatch_alarm_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_config_service_rule_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_configuration_recorder_stopped.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_ec2_flow_log_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_ec2_network_acl_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_elasticache_security_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_elasticache_security_group_modified_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_guardduty_detector_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_rds_instance_restored.toml
[Rule Tuning] AWS RDS Snapshot Restored (#3809)
2024-06-28 20:42:36 -04:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_s3_bucket_configuration_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[New Rule] AWS S3 Bucket Server Access Logging Disabled (#3892)
2024-07-18 18:28:19 -04:00
defense_evasion_sts_get_federation_token.toml
[New Rule] First Occurrence AWS STS Temporary Credential Request by User (#3991)
2024-08-21 20:17:10 -04:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
defense_evasion_waf_acl_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_waf_rule_or_rule_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_ec2_multi_region_describe_instances.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
discovery_new_terms_sts_getcalleridentity.toml
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4094)
2024-09-24 09:32:12 -04:00
discovery_servicequotas_multi_region_service_quota_requests.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
execution_lambda_external_layer_added_to_function.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
execution_new_terms_cloudformation_createstack.toml
[New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time (#3923)
2024-07-31 16:55:49 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126)
2024-10-09 15:25:36 -04:00
exfiltration_ec2_full_network_packet_capture_detected.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_snapshot_change_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_ec2_vm_export_failure.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_rds_snapshot_export.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
exfiltration_rds_snapshot_shared_with_another_account.toml
[Rule Tunings] Change from to prevent double alerts (#3868)
2024-07-11 13:02:10 -04:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[New Rule] AWS S3 Bucket Replicated to Another Account (#3895)
2024-07-18 22:52:39 -04:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
impact_cloudtrail_logging_updated.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_stream_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_ec2_disable_ebs_encryption.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_efs_filesystem_or_mount_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_iam_deactivate_mfa_device.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_iam_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_instance_cluster_deletion_protection_disabled.toml
[Rule Tunings] Change from to prevent double alerts (#3868)
2024-07-11 13:02:10 -04:00
impact_rds_instance_cluster_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_instance_cluster_stoppage.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_rds_snapshot_deleted.toml
[Rule Tunings] Change from to prevent double alerts (#3868)
2024-07-11 13:02:10 -04:00
impact_s3_bucket_object_uploaded_with_ransom_extension.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
impact_s3_object_encryption_with_external_key.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
impact_s3_object_versioning_disabled.toml
[Rule Tuning] AWS S3 Object Versioning Suspended (#3953)
2024-08-02 13:36:11 -03:00
initial_access_console_login_root.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_password_recovery.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_signin_console_login_no_mfa.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
initial_access_via_system_manager.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
lateral_movement_ec2_instance_console_login.toml
[New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922)
2024-07-31 15:52:59 -04:00
ml_cloudtrail_error_message_spike.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_error_code.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_city.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_country.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_user.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_ec2_instance_request_to_iam_service.toml
[New Rule] AWS EC2 Instance Interaction with IAM Service (#3920)
2024-07-31 15:44:02 -04:00
persistence_ec2_network_acl_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_ec2_security_group_configuration_change_detection.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_iam_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_iam_roles_anywhere_profile_created.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_iam_user_created_access_keys_for_another_user.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_rds_cluster_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_rds_db_instance_password_modified.toml
[Rule Tunings] Change from to prevent double alerts (#3868)
2024-07-11 13:02:10 -04:00
persistence_rds_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_rds_instance_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_rds_instance_made_public.toml
[Rule Tunings] Change from to prevent double alerts (#3868)
2024-07-11 13:02:10 -04:00
persistence_redshift_instance_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_domain_transfer_lock_disabled.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_domain_transferred_to_another_account.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_table_created.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_route_table_modified_or_deleted.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
[Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146)
2024-10-09 21:08:38 -04:00
privilege_escalation_iam_saml_provider_updated.toml
[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898)
2024-08-20 11:53:46 -04:00
privilege_escalation_root_login_without_mfa.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sts_getsessiontoken_abuse.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sts_role_chaining.toml
[New Rule] AWS STS Role Chaining (#4209)
2024-10-30 12:18:04 -04:00
privilege_escalation_sts_temp_creds_via_assume_role.toml
[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898)
2024-08-20 11:53:46 -04:00
privilege_escalation_updateassumerolepolicy.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30