sigma-rules/rules/cross-platform at cea2f43732455b072e866e8057a3fbfc6641ff86 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Terrance DeJesus cea2f43732 [New Rule] AWS EC2 LOLBin Execution via SSM (#5354 )

* [New Rule] AWS EC2 LOLBin Execution via SSM
Fixes #5353

* updated from command

* removed high order tag

* adjusted query logic

* updated reference

* add ESQL_priv. to keep

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* cleaned up comments

* updating query logic to use coalesce

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

* Update rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* added SSM tag

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

2025-12-05 16:14:33 -05:00

..

command_and_control_curl_wget_spawn_via_nodejs_parent.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

command_and_control_genai_process_suspicious_tld_connection.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

command_and_control_genai_process_unusual_domain.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

command_and_control_google_drive_malicious_file_download.toml

[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 )

2025-02-19 12:54:31 -03:00

command_and_control_non_standard_ssh_port.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

command_and_control_pan_elastic_defend_c2.toml

[New] PANW Command and Control Correlation (#5331 )

2025-11-24 14:01:52 +00:00

command_and_control_socks_fortigate_endpoint.toml

[New] SOCKS Traffic from an Unusual Process (#5324 )

2025-11-24 13:18:30 +00:00

credential_access_cookies_chromium_browsers_debugging.toml

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

credential_access_forced_authentication_pipes.toml

[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 )

2025-02-19 12:54:31 -03:00

credential_access_genai_process_sensitive_file_access.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

credential_access_gitleaks_execution.toml

[New Rule] Potential Secret Scanning via Gitleaks (#5377 )

2025-12-02 09:42:19 +01:00

credential_access_multi_could_secrets_via_api.toml

[New] Multiple Cloud Secrets Accessed by Source Address (#5388 )

2025-12-04 18:04:25 +00:00

credential_access_trufflehog_execution.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

defense_evasion_agent_spoofing_mismatched_id.toml

Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312 )

2025-11-13 17:26:29 +00:00

defense_evasion_agent_spoofing_multiple_hosts.toml

[Tuning] Agent Spoofing - Multiple Hosts Using Same Agent (#5313 )

2025-11-24 12:59:49 +00:00

defense_evasion_deleting_websvr_access_logs.toml

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

defense_evasion_deletion_of_bash_command_line_history.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_elastic_agent_service_terminated.toml

[Rule Tuning] Elastic Agent Service Terminated (#5272 )

2025-11-12 08:34:34 -03:00

defense_evasion_encoding_rot13_python_script.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_genai_config_modification.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_genai_process_compiling_executables.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_genai_process_encoding_prior_to_network_activity.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_masquerading_space_after_filename.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_potential_http_downgrade_attack.toml

[New Rule] Potential HTTP Downgrade Attack (#5372 )

2025-12-04 16:23:38 +01:00

defense_evasion_timestomp_touch.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_whitespace_padding_command_line.toml

[New] Command Line Obfuscation via Whitespace Padding (#4860 )

2025-08-18 15:26:52 +01:00

discovery_security_software_grep.toml

[Rule Tuning] Q2 Linux DR Tuning - CP (#4170 )

2024-10-18 16:38:14 +02:00

discovery_virtual_machine_fingerprinting_grep.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

discovery_web_server_local_file_inclusion_activity.toml

[New Rule] Web Server Local File Inclusion Activity (#5393 )

2025-12-05 09:47:29 +01:00

discovery_web_server_remote_file_inclusion_activity.toml

[New Rule] Web Server Potential Remote File Inclusion Activity (#5394 )

2025-12-05 09:57:56 +01:00

execution_aws_ec2_lolbin_via_ssm.toml

[New Rule] AWS EC2 LOLBin Execution via SSM (#5354 )

2025-12-05 16:14:33 -05:00

execution_aws_ssm_sendcommand_with_command_parameters.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

execution_git_exploit_cve_2025_48384.toml

[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301 )

2025-11-12 15:45:52 +01:00

execution_nodejs_pre_or_post_install_script_execution.toml

[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403 )

2025-12-04 09:07:12 -05:00

execution_pentest_eggshell_remote_admin_tool.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

execution_potential_widespread_malware_infection.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

execution_privileged_container_creation_with_host_reference.toml

[New Rule] Privileged Container Creation with Host Directory Mount (#5373 )

2025-12-02 09:33:16 +01:00

execution_register_github_actions_runner.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

execution_revershell_via_shell_cmd.toml

[Docs | Rule Tuning] Add blog references to rules (#4097 )

2024-09-25 15:19:20 -05:00

execution_suspicious_java_netcon_childproc.toml

[Rule Tuning] Linux DR Tuning - Part 6 (#4423 )

2025-02-03 14:05:26 +01:00

execution_via_github_actions_runner.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370 )

2025-12-02 10:22:24 +01:00

guided_onboarding_sample_rule.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

impact_hosts_file_modified.toml

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

initial_access_azure_o365_with_network_alert.toml

[Rule Tuning] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4946 )

2025-07-31 09:57:02 -04:00

initial_access_execution_susp_react_serv_child.toml

[Tuning] Suspicious React Child Process (#5414 )

2025-12-05 11:26:48 +00:00

initial_access_exfiltration_new_usb_device_mounted.toml

[New] New USB Storage Device Mounted (#5299 )

2025-11-11 09:28:54 +00:00

initial_access_file_upload_followed_by_get_request.toml

[New Rule] Initial Access via File Upload Followed by GET Request (#5371 )

2025-12-04 16:10:13 +01:00

initial_access_zoom_meeting_with_no_passcode.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

multiple_alerts_different_tactics_host.toml

Update multiple_alerts_different_tactics_host.toml (#4854 )

2025-06-27 09:53:42 -03:00

multiple_alerts_edr_elastic_defend_by_host.toml

[New] Alerts in Different ATT&CK Tactics by Host (#5343 )

2025-11-24 22:46:09 +05:30

multiple_alerts_elastic_defend_netsecurity_by_host.toml

Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375 )

2025-12-01 07:18:19 -08:00

multiple_alerts_email_elastic_defend_correlation.toml

[New] Elastic Defend and Email Alerts Correlation (#5336 )

2025-11-24 22:26:00 +05:30

multiple_alerts_involving_user.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

multiple_alerts_risky_host_esql.toml

[New] Alerts in Different ATT&CK Tactics by Host (#5343 )

2025-11-24 22:46:09 +05:30

persistence_credential_access_modify_auth_module_or_config.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

persistence_shell_profile_modification.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

persistence_ssh_authorized_keys_modification.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

persistence_web_server_potential_command_injection.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

privilege_escalation_echo_nopasswd_sudoers.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_sudo_buffer_overflow.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_sudoers_file_mod.toml

[Rule Tuning] Sudoers File Modification (#4904 )

2025-07-16 10:17:51 +02:00

reconnaissance_web_server_discovery_or_fuzzing_activity.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_spike_in_error_logs.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_user_agents.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00