security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev-v1.5.42
sigma-rules/rules/integrations/aws
T
History
Isai 793d79b063 [New Rule] AWS EC2 Serial Console Access Enabled (#5687) 
* [New Rule] AWS EC2 Serial Console Access Enabled

Detects when an adversary enables the EC2 Serial Console feature at the AWS account level. This technique was documented by Permiso in their LUCR-3 Scattered Spider research as a defense evasion method that provides out-of-band access to EC2 instances, completely bypassing network-based security monitoring, VPCs, and security groups. Enabling serial console access is extremely rare in production environments, making this a high-signal detection with minimal false positive risk. I've tested this query against alert and prod telemetry and found rare instances.

Existing Related Coverage: We already detect `SendSerialConsoleSSHPublicKey` via lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml, which catches the usage of serial console. This new rule closes the gap by detecting the enablement of serial console access, the prerequisite step that must occur before an attacker can leverage this out-of-band channel.

* raising severity and risk score
2026-02-06 17:34:55 -05:00
..
collection_cloudtrail_logging_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
collection_s3_unauthenticated_bucket_access_by_rare_source.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
credential_access_aws_getpassword_for_ec2_instance.toml
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)
2025-06-06 15:08:48 -04:00
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[Rule Tuning] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#5281)
2025-11-17 16:25:38 -05:00
credential_access_iam_user_addition_to_group.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
credential_access_new_terms_secretsmanager_getsecretvalue.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
[Rule Tuning] Rapid Secret Retrieval Attempts from AWS SecretsManager (#5291)
2025-11-24 10:37:07 -05:00
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
credential_access_root_console_failure_brute_force.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_cloudtrail_logging_deleted.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudtrail_logging_evasion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudtrail_logging_suspended.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudwatch_alarm_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_config_service_rule_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_configuration_recorder_stopped.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_ec2_flow_log_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_ec2_network_acl_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_ec2_serial_console_access_enabled.toml
[New Rule] AWS EC2 Serial Console Access Enabled (#5687)
2026-02-06 17:34:55 -05:00
defense_evasion_guardduty_detector_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_rds_instance_restored.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_s3_bucket_configuration_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_sqs_purge_queue.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_sts_get_federation_token.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
defense_evasion_waf_acl_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
discovery_ec2_deprecated_ami_discovery.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_ec2_userdata_request_for_ec2_instance.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
discovery_iam_principal_enumeration_via_update_assume_role_policy.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_multiple_discovery_api_calls_via_cli.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_new_terms_sts_getcalleridentity.toml
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995)
2025-08-25 11:44:58 -04:00
discovery_servicequotas_multi_region_service_quota_requests.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
execution_lambda_external_layer_added_to_function.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
execution_new_terms_cloudformation_createstack.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
execution_ssm_command_document_created_by_rare_user.toml
[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)
2025-06-27 13:24:27 -04:00
execution_ssm_sendcommand_by_rare_user.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
exfiltration_dynamodb_scan_by_unusual_user.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_dynamodb_table_exported_to_s3.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)
2025-07-21 10:12:13 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_ec2_export_task.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_rds_snapshot_export.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_rds_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_s3_bucket_policy_added_for_public_access.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_sns_rare_protocol_subscription_by_user.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_cloudtrail_logging_updated.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_cloudwatch_log_group_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_cloudwatch_log_stream_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_ec2_disable_ebs_encryption.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_ec2_ebs_snapshot_access_removed.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_efs_filesystem_deleted.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_iam_deactivate_mfa_device.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_iam_group_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_rds_instance_cluster_deletion_protection_disabled.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_rds_instance_cluster_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_rds_snapshot_deleted.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5657)
2026-02-05 21:34:38 -05:00
impact_s3_excessive_object_encryption_with_sse_c.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_object_encryption_with_external_key.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_object_versioning_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_static_site_js_file_uploaded.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
impact_s3_unusual_object_encryption_with_sse_c.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_console_login_root.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_iam_session_token_used_from_multiple_addresses.toml
[Rule Tuning] AWS Access Token Used from Multiple Addresses (#5412)
2025-12-05 11:48:22 -05:00
initial_access_kali_user_agent_detected_with_aws_cli.toml
[Rule Tuning] AWS CLI with Kali Linux Fingerprint Identified (#5467)
2025-12-18 16:13:34 -05:00
initial_access_password_recovery.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_signin_console_login_federated_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[Rule Tuning] SSM Session Started to EC2 Instance (#5068)
2025-09-11 15:54:31 -04:00
lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
lateral_movement_ec2_instance_console_login.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
lateral_movement_sns_topic_message_publish_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
ml_cloudtrail_error_message_spike.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_error_code.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_city.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_country.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_user.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_aws_attempt_to_register_virtual_mfa_device.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_ec2_network_acl_creation.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_ec2_route_table_modified_or_deleted.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_ec2_security_group_configuration_change_detection.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_api_calls_via_user_session_token.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_create_login_profile_for_root.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)
2025-09-11 15:11:40 -04:00
persistence_iam_group_creation.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_roles_anywhere_profile_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_iam_user_created_access_keys_for_another_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_rds_db_instance_password_modified.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_rds_instance_made_public.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_route_53_domain_transfer_lock_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_route_53_domain_transferred_to_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_route_table_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_sts_assume_role_with_new_mfa.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
privilege_escalation_iam_saml_provider_updated.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_update_assume_role_policy.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
privilege_escalation_role_assumption_by_service.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
privilege_escalation_role_assumption_by_user.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_sts_role_chaining.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
resource_development_sns_topic_created_by_rare_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00