This section displays SIGMA rules belonging to category cloud. It updates itself automatically when new commits are available in quasarops.
| Title | AWS CloudTrail Important Change |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_cloudtrail_disable_logging.yml |
| author | vitaliy0x1 |
| status | experimental |
| date | 2020/01/21 |
| description | Detects disabling, deleting and updating of a Trail |
| tags | attack.t1089 |
| Title | AWS Config Disabling Channel/Recorder |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_config_disable_recording.yml |
| author | vitaliy0x1 |
| status | experimental |
| date | 2020/01/21 |
| description | Detects AWS Config Service disabling |
| tags | attack.t1089 |
| Title | AWS EC2 Download Userdata |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_ec2_download_userdata.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/11 |
| description | Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. |
| tags | attack.t1020 |
| Title | AWS EC2 Startup Shell Script Change |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_ec2_startup_script_change.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/12 |
| description | Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up. |
| tags | attack.t1064 |
| Title | AWS GuardDuty Important Change |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_guardduty_disruption.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/11 |
| description | Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. |
| tags | attack.t1089 |
| Title | AWS IAM Backdoor Users Keys |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_iam_backdoor_users_keys.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/12 |
| description | Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. |
| tags | attack.t1098 |
| Title | AWS RDS Master Password Change |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_rds_change_master_password.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/12 |
| description | Detects the change of database master password. It may be a part of data exfiltration. |
| tags | attack.t1020 |
| Title | Restore Public AWS RDS Instance |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_rds_public_db_restore.yml |
| author | faloker |
| status | experimental |
| date | 2020/02/12 |
| description | Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. |
| tags | attack.t1020 |
| Title | AWS Root Credentials |
|---|---|
| rule_category | cloud |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/cloud/aws_root_account_usage.yml |
| author | vitaliy0x1 |
| status | experimental |
| date | 2020/01/21 |
| description | Detects AWS root account usage |
| tags | attack.t1078 |