Sigma Rules
334 rules found
Bitbucket Project Secret Scanning Allowlist Added
Detects when a secret scanning allowlist rule is added for projects.
Bitbucket Secret Scanning Rule Deleted
Detects when secret scanning rule is deleted for the project or repository.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
GitHub Repository Pages Site Changed to Public
Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
Github Push Protection Bypass Detected
Detects when a user bypasses the push protection on a secret detected by secret scanning.
GitHub Repository Archive Status Changed
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
Kubernetes Unauthorized or Unauthenticated Access
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
AWS EC2 VM Export Failure
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
AWS ElastiCache Security Group Created
Detects when an ElastiCache security group has been created.
AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
Potential Bucket Enumeration on AWS
Looks for potential enumeration of AWS buckets via ListBuckets.
AWS New Lambda Layer Attached
Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.
AWS Glue Development Endpoint Activity
Detects possible suspicious glue development endpoint activity.
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
AWS S3 Data Management Tampering
Detects when a user tampers with S3 data management in Amazon Web Services.
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Azure Container Registry Created or Deleted
Detects when a Container Registry is created or deleted.
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
End User Consent
Detects when an end user consents to an application
Measurable Increase Of Successful Authentications
Detects when successful sign-ins increased by 10% or greater.
Failed Authentications From Countries You Do Not Operate Out Of
Detect failed authentications from countries you do not operate out of.
Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Google Cloud Storage Buckets Enumeration
Detects when storage bucket is enumerated in Google Cloud.
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
OneLogin User Assumed Another User
Detects when an user assumed another user account.
OneLogin User Account Locked
Detects when an user account is locked or suspended.
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
File or Folder Permissions Change
Detects file and folder permission changes.
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.