security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61ee9caf8a47d1557fa504df0150965ec36e60aa
sigma-rules/rules/cross-platform
T
History
Samirbous 244cdda427 [New] Multi-Cloud CLI Token and Credential Access Commands (#6012) 
* [New] Multi-Cloud CLI Token and Credential Access Commands

Correlates process telemetry for shells and major cloud/Kubernetes CLIs when command lines match token or credential material access patterns (GCP, Azure, AWS, GitHub, kubectl, DigitalOcean, OCI). Flags hosts where multiple cloud targets appear occurs within five-minute window.

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Apply suggestion from @eric-forte-elastic

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Update credential_access_multi_cloud_cli_token_harvesting.toml

* Update credential_access_multi_cloud_cli_token_harvesting.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2026-05-01 17:35:19 +01:00
..
command_and_control_common_llm_endpoint.toml
[Rule Tuning] Additional GenAI context for Domains & Cred File Access (#5958)
2026-04-22 11:34:10 -05:00
command_and_control_curl_wget_spawn_via_nodejs_parent.toml
[Rule Tuning] Misc GenAI Rules (#5929)
2026-04-08 07:05:35 -05:00
command_and_control_genai_process_suspicious_tld_connection.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
command_and_control_genai_process_unusual_domain.toml
[Rule Tuning] Misc GenAI Tuning (#5825)
2026-03-11 11:46:33 -05:00
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_kubectl_networking_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_pan_elastic_defend_c2.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_socks_fortigate_endpoint.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_suricata_elastic_defend_c2.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_tunnel_qemu.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_genai_process_sensitive_file_access.toml
[Rule Tuning] Additional GenAI context for Domains & Cred File Access (#5958)
2026-04-22 11:34:10 -05:00
credential_access_gitleaks_execution.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
credential_access_grep_recursive_credential_discovery.toml
[New] Potential Credential Discovery via Recursive Grep (#5882)
2026-03-26 11:27:33 +00:00
credential_access_multi_cloud_cli_token_harvesting.toml
[New] Multi-Cloud CLI Token and Credential Access Commands (#6012)
2026-05-01 17:35:19 +01:00
credential_access_multi_could_secrets_via_api.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_trufflehog_execution.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
defense_evasion_agent_spoofing_multiple_hosts.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_data_encrypted_via_openssl.toml
Monthly Manifest and Schema Updation (#5920)
2026-04-06 17:35:33 +05:30
defense_evasion_deleting_websvr_access_logs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_encoding_rot13_python_script.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_genai_config_modification.toml
[Rule Tuning] Misc GenAI Rules (#5929)
2026-04-08 07:05:35 -05:00
defense_evasion_genai_process_compiling_executables.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
defense_evasion_genai_process_encoding_prior_to_network_activity.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
defense_evasion_long_base64_encoded_interpreter_command_line.toml
[New] Long Base64 Encoded Command via Scripting Interpreter (#5891)
2026-04-22 18:05:49 +01:00
defense_evasion_masquerading_space_after_filename.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_missing_events_after_alert.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
defense_evasion_potential_http_downgrade_attack.toml
[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837)
2026-03-17 17:28:47 +01:00
defense_evasion_potential_kubectl_impersonation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_kubectl_masquerading.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_processes_with_trailing_spaces.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
defense_evasion_timestomp_touch.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_whitespace_padding_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubectl_permission_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubectl_secrets_all_namespaces.toml
[Tuning] Expand compatibility to extra OS (#5883)
2026-03-26 12:10:17 +00:00
discovery_security_software_grep.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
discovery_virtual_machine_fingerprinting_grep.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_web_server_local_file_inclusion_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_web_server_remote_file_inclusion_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_aws_ec2_lolbin_via_ssm.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_git_exploit_cve_2025_48384.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_kubernetes_direct_api_request_via_curl_or_wget.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_nodejs_pre_or_post_install_script_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_openclaw_agent_child_process.toml
[Rule Tuning] Misc GenAI Rules (#5929)
2026-04-08 07:05:35 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_privileged_container_creation_with_host_reference.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_register_github_actions_runner.toml
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927)
2026-04-20 18:38:09 -03:00
execution_revershell_via_shell_cmd.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sap_netweaver_jsp_webshell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sap_netweaver_webshell_exec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_python_command_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_via_github_actions_runner.toml
[Tuning] Execution via GitHub Actions Runner (#5892)
2026-04-22 22:46:22 +05:30
execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_curl_data_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_alert_from_a_process_with_cpu_spike.toml
[Tuning] Mis Rules Tuning (#5817)
2026-03-23 10:49:23 +00:00
impact_alerts_on_host_with_cpu_spike.toml
Update impact_alerts_on_host_with_cpu_spike.toml (#5789)
2026-02-27 08:56:27 +00:00
impact_hosts_file_modified.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
impact_newly_observed_process_with_high_cpu.toml
[New] Newly Observed Process Exhibiting CPU Spike (#5635)
2026-01-28 17:38:22 +00:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_elastic_defend_alert_genai_utility_descendant.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_elastic_defend_alert_package_manager_ancestor.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_execution_susp_react_serv_child.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_exfiltration_new_usb_device_mounted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_file_upload_followed_by_get_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_fortigate_ssl_vpn_login_followed_by_siem_alert.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_ollama_api_external_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_zoom_meeting_with_no_passcode.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
lateral_movement_multi_alerts_new_srcip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
lateral_movement_multi_alerts_new_userid.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_by_host_ip_and_source_ip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_edr_elastic_same_process_tree.toml
[New] Multiple Elastic Defend Alerts from Single Process Tree (#5522)
2026-01-02 15:13:25 +00:00
multiple_alerts_elastic_defend_netsecurity_by_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
multiple_alerts_email_elastic_defend_correlation.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
multiple_alerts_from_different_modules_by_dstip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_from_different_modules_by_srcip.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_from_different_modules_by_user.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_alerts_involving_user.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
multiple_alerts_llm_attack_chain_triage_by_host.toml
[Rule Tuning] Misc GenAI Rules (#5929)
2026-04-08 07:05:35 -05:00
multiple_alerts_llm_by_user_entity.toml
[Rule Tuning] Misc GenAI Rules (#5929)
2026-04-08 07:05:35 -05:00
multiple_alerts_llm_compromised_user_triage.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
multiple_alerts_risky_host_esql.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
multiple_alerts_same_tactic_by_host.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
multiple_elastic_defend_behavior_rules_same_host_prevalence.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
multiple_external_edr_alerts_by_host.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
multiple_machine_learning_jobs_by_entity.toml
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
multiple_vulnerabilities_wiz_by_container.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
newly_observed_elastic_defend_alert.toml
[Tuning] ESQL Dynamic unique value fields (#5569)
2026-01-26 16:34:16 +00:00
newly_observed_elastic_detection_rule.toml
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
newly_observed_fortigate_alert.toml
[Tuning] Newly Seen FG or Suricata alert (#5734)
2026-02-23 08:35:38 +00:00
newly_observed_panos_alert.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
newly_observed_suricata_alert.toml
[Tuning] Newly Seen FG or Suricata alert (#5734)
2026-02-23 08:35:38 +00:00
persistence_shell_profile_modification.toml
[Tuning] Diverse Rules Tuning (#5482)
2025-12-18 15:30:12 +00:00
persistence_ssh_authorized_keys_modification.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
persistence_web_server_potential_command_injection.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_echo_nopasswd_sudoers.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_buffer_overflow.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_trap_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
reconnaissance_web_server_discovery_or_fuzzing_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
reconnaissance_web_server_unusual_spike_in_error_logs.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
reconnaissance_web_server_unusual_user_agents.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00