Sigma Rules
55 rules found
AWS Snapshot Backup Exfiltration
Detects the modification of an EC2 snapshot's permissions to enable access from another account
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetCallerIdentity Enumeration Via TruffleHog
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.