Rule Library
Sigma Rules
5 rules found for "faloker"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
AWScloudtrail
TA0002 · ExecutionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix Shell
falokerWed Feb 12cloud
Detectionhightest
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
AWScloudtrail
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
falokerTue Feb 11cloud
Detectionmediumtest
AWS IAM Backdoor Users Keys
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
AWScloudtrail
TA0003 · PersistenceTA0004 · Privilege EscalationT1098 · Account Manipulation
falokerWed Feb 12cloud
Detectionmediumtest
AWS RDS Master Password Change
Detects the change of database master password. It may be a part of data exfiltration.
AWScloudtrail
TA0010 · ExfiltrationT1020 · Automated Exfiltration
falokerWed Feb 12cloud
Detectionhightest
Restore Public AWS RDS Instance
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
AWScloudtrail
TA0010 · ExfiltrationT1020 · Automated Exfiltration
falokerWed Feb 12cloud