├── CloudTrail ├── 218007301253_CloudTrail_us-east-1_20230710T1145Z_7xgocspSowgK0Gto.json ├── 218007301253_CloudTrail_us-east-1_20230710T1145Z_s7dpHbl38neqZbm2.json ├── 218007301253_CloudTrail_us-east-1_20230710T1150Z_1vnLavRRp0ek1mP4.json ├── 218007301253_CloudTrail_us-east-1_20230710T1200Z_iLj9fb7yyUG9X4Bf.json ├── 218007301253_CloudTrail_us-east-1_20230710T1200Z_x9kHmzMa7cx6l9wM.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_1dM7GQM67kudSyGD.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_86g9Vok9HiUCgSI7.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_SjF3IkuNXJkoHyar.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_UljXNp9xLp8nsAGc.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_dOIWyEekdNWhkpqY.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_lKy08gyrqqRJyzsn.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_nx9Yx1FyJdBaTqKj.json ├── 218007301253_CloudTrail_us-east-1_20230710T1205Z_zs3JGxETHr59VpkX.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_2ru8PrDKZmsO3yWC.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_6CICdbJQM3beT7n3.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_QY5iPRtGUt0EpVaH.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_RBxlxVrF890sGHGg.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_ZgEBhdXGdLTXGoIe.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_bXGZYqBeCCsqWq1U.json ├── 218007301253_CloudTrail_us-east-1_20230710T1210Z_vj0QE0Tf5ZmzMsCo.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_5f9a6SYejzdNeREZ.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_MifI13MOmOjRfXzJ.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_P0WZuP2zvLW2RcUo.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_YMDRJwtmC82bUwAo.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_YxpR6PTmNBivhnJJ.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_Z8x5aqgtcXn5NEG9.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_dTTFsx4I2m3om5Oy.json ├── 218007301253_CloudTrail_us-east-1_20230710T1215Z_nBsuPO1qSTEVerMD.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_8sBQhbu5YO94UV8p.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_AkYyuTYmKtOUB1Lx.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_WMiHxZgr5Hdd6UDc.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_ovtmbuX3ENJ119uH.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_r7NFD65BgeDMqD23.json ├── 218007301253_CloudTrail_us-east-1_20230710T1220Z_sM25jC0Ku0QcGkDa.json ├── 218007301253_CloudTrail_us-east-1_20230710T1225Z_4iD2boYSOwmb6sWd.json ├── 218007301253_CloudTrail_us-east-1_20230710T1225Z_QqgbBkK0L13H8Wbv.json ├── 218007301253_CloudTrail_us-east-1_20230710T1225Z_RL8g7SsRoNFvvVBW.json ├── 218007301253_CloudTrail_us-east-1_20230710T1225Z_qWyTCPHzELqDMshA.json ├── 218007301253_CloudTrail_us-east-1_20230710T1225Z_vMAR90Iiaqr6M5sR.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_04rtp9DpvIpSZzMr.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_9JM8uKEITHqwJKXr.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_9SJSsrxJ0ChF5VFb.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_9dKPuRzdLzqZRjqm.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_AvIajGd5rkz6vTy4.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_GyyPwrInk2rgv8V0.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_KV9LZlfXqBel7nqf.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_OU6Ha25B4GGhUIMr.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_ZtUNbBkwAu98FPZb.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_lHgkh3VeI3XnjZSL.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_s2m4APJ8BhmXSIE6.json ├── 218007301253_CloudTrail_us-east-1_20230710T1230Z_soULWstxp7lqsODg.json ├── 218007301253_CloudTrail_us-east-1_20230710T1235Z_Vp7r3boWJKtPb3wM.json ├── 218007301253_CloudTrail_us-east-1_20230710T1235Z_YbVFCP9AYzJDhHV9.json ├── 218007301253_CloudTrail_us-east-1_20230710T1235Z_kboLbHJlz2H6cLyo.json └── 218007301253_CloudTrail_us-east-1_20230710T1240Z_C1qUFaqvZS64BcIN.json ├── Images ├── AttackEnvironment.png └── AutomatedResearch.png ├── LICENSE ├── README.md ├── Sigma Athena SQL ├── aws_attached_malicious_lambda_layer.sql ├── aws_cloudtrail_disable_logging.sql ├── aws_config_disable_recording.sql ├── aws_delete_identity.sql ├── aws_ec2_disable_encryption.sql ├── aws_ec2_startup_script_change.sql ├── aws_ec2_vm_export_failure.sql ├── aws_ecs_task_definition_cred_endpoint_query.sql ├── aws_efs_fileshare_modified_or_deleted.sql ├── aws_efs_fileshare_mount_modified_or_deleted.sql ├── aws_eks_cluster_created_or_deleted.sql ├── aws_elasticache_security_group_created.sql ├── aws_elasticache_security_group_modified_or_deleted.sql ├── aws_enum_buckets.sql ├── aws_guardduty_disruption.sql ├── aws_iam_backdoor_users_keys.sql ├── aws_passed_role_to_glue_development_endpoint.sql ├── aws_rds_change_master_password.sql ├── aws_rds_public_db_restore.sql ├── aws_root_account_usage.sql ├── aws_route_53_domain_transferred_lock_disabled.sql ├── aws_route_53_domain_transferred_to_another_account.sql ├── aws_s3_data_management_tampering.sql ├── aws_securityhub_finding_evasion.sql ├── aws_snapshot_backup_exfiltration.sql ├── aws_sts_assumerole_misuse.sql ├── aws_sts_getsessiontoken_misuse.sql ├── aws_susp_saml_activity.sql ├── aws_update_login_profile.sql └── unsuported-aws │ ├── aws_ec2_download_userdata.txt │ ├── aws_enum_backup.txt │ ├── aws_enum_listing.txt │ ├── aws_enum_network.txt │ └── aws_enum_storage.txt ├── SigmaHQ AWS ├── README.MD ├── aws_attached_malicious_lambda_layer.yml ├── aws_cloudtrail_disable_logging.yml ├── aws_config_disable_recording.yml ├── aws_delete_identity.yml ├── aws_ec2_disable_encryption.yml ├── aws_ec2_startup_script_change.yml ├── aws_ec2_vm_export_failure.yml ├── aws_ecs_task_definition_cred_endpoint_query.yml ├── aws_efs_fileshare_modified_or_deleted.yml ├── aws_efs_fileshare_mount_modified_or_deleted.yml ├── aws_eks_cluster_created_or_deleted.yml ├── aws_elasticache_security_group_created.yml ├── aws_elasticache_security_group_modified_or_deleted.yml ├── aws_enum_buckets.yml ├── aws_guardduty_disruption.yml ├── aws_iam_backdoor_users_keys.yml ├── aws_passed_role_to_glue_development_endpoint.yml ├── aws_rds_change_master_password.yml ├── aws_rds_public_db_restore.yml ├── aws_root_account_usage.yml ├── aws_route_53_domain_transferred_lock_disabled.yml ├── aws_route_53_domain_transferred_to_another_account.yml ├── aws_s3_data_management_tampering.yml ├── aws_securityhub_finding_evasion.yml ├── aws_snapshot_backup_exfiltration.yml ├── aws_sts_assumerole_misuse.yml ├── aws_sts_getsessiontoken_misuse.yml ├── aws_susp_saml_activity.yml ├── aws_update_login_profile.yml └── unsupported │ ├── aws_ec2_download_userdata.yml │ ├── aws_enum_backup.yml │ ├── aws_enum_listing.yml │ ├── aws_enum_network.yml │ ├── aws_enum_storage.yml │ ├── aws_lambda_function_created_or_invoked.yml │ ├── aws_macic_evasion.yml │ └── aws_ses_messaging_enabled.yml ├── Splunk queries ├── aws_attached_malicious_lambda_layer.spl ├── aws_cloudtrail_disable_logging.spl ├── aws_config_disable_recording.spl ├── aws_delete_identity.spl ├── aws_ec2_disable_encryption.spl ├── aws_ec2_startup_script_change.spl ├── aws_ec2_vm_export_failure.spl ├── aws_ecs_task_definition_cred_endpoint_query.spl ├── aws_efs_fileshare_modified_or_deleted.spl ├── aws_efs_fileshare_mount_modified_or_deleted.spl ├── aws_eks_cluster_created_or_deleted.spl ├── aws_elasticache_security_group_created.spl ├── aws_elasticache_security_group_modified_or_deleted.spl ├── aws_enum_buckets.spl ├── aws_guardduty_disruption.spl ├── aws_iam_backdoor_users_keys.spl ├── aws_passed_role_to_glue_development_endpoint.spl ├── aws_rds_change_master_password.spl ├── aws_rds_public_db_restore.spl ├── aws_root_account_usage.spl ├── aws_route_53_domain_transferred_lock_disabled.spl ├── aws_route_53_domain_transferred_to_another_account.spl ├── aws_s3_data_management_tampering.spl ├── aws_securityhub_finding_evasion.spl ├── aws_snapshot_backup_exfiltration.spl ├── aws_sts_assumerole_misuse.spl ├── aws_sts_getsessiontoken_misuse.spl ├── aws_susp_saml_activity.spl └── aws_update_login_profile.spl └── translator └── FixSigmaToAthena.py /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1145Z_7xgocspSowgK0Gto.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1145Z_7xgocspSowgK0Gto.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1145Z_s7dpHbl38neqZbm2.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1145Z_s7dpHbl38neqZbm2.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1150Z_1vnLavRRp0ek1mP4.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1150Z_1vnLavRRp0ek1mP4.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1200Z_iLj9fb7yyUG9X4Bf.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1200Z_iLj9fb7yyUG9X4Bf.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1200Z_x9kHmzMa7cx6l9wM.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1200Z_x9kHmzMa7cx6l9wM.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_1dM7GQM67kudSyGD.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_1dM7GQM67kudSyGD.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_86g9Vok9HiUCgSI7.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_86g9Vok9HiUCgSI7.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_SjF3IkuNXJkoHyar.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_SjF3IkuNXJkoHyar.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_UljXNp9xLp8nsAGc.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_UljXNp9xLp8nsAGc.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_dOIWyEekdNWhkpqY.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_dOIWyEekdNWhkpqY.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_lKy08gyrqqRJyzsn.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_lKy08gyrqqRJyzsn.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_nx9Yx1FyJdBaTqKj.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_nx9Yx1FyJdBaTqKj.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_zs3JGxETHr59VpkX.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1205Z_zs3JGxETHr59VpkX.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_2ru8PrDKZmsO3yWC.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_2ru8PrDKZmsO3yWC.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_6CICdbJQM3beT7n3.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_6CICdbJQM3beT7n3.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_QY5iPRtGUt0EpVaH.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_QY5iPRtGUt0EpVaH.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_RBxlxVrF890sGHGg.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_RBxlxVrF890sGHGg.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_ZgEBhdXGdLTXGoIe.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_ZgEBhdXGdLTXGoIe.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_bXGZYqBeCCsqWq1U.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_bXGZYqBeCCsqWq1U.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_vj0QE0Tf5ZmzMsCo.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1210Z_vj0QE0Tf5ZmzMsCo.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_5f9a6SYejzdNeREZ.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_5f9a6SYejzdNeREZ.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_MifI13MOmOjRfXzJ.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_MifI13MOmOjRfXzJ.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_P0WZuP2zvLW2RcUo.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_P0WZuP2zvLW2RcUo.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_YMDRJwtmC82bUwAo.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_YMDRJwtmC82bUwAo.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_YxpR6PTmNBivhnJJ.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_YxpR6PTmNBivhnJJ.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_Z8x5aqgtcXn5NEG9.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_Z8x5aqgtcXn5NEG9.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_dTTFsx4I2m3om5Oy.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_dTTFsx4I2m3om5Oy.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_nBsuPO1qSTEVerMD.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1215Z_nBsuPO1qSTEVerMD.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_8sBQhbu5YO94UV8p.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_8sBQhbu5YO94UV8p.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_AkYyuTYmKtOUB1Lx.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_AkYyuTYmKtOUB1Lx.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_WMiHxZgr5Hdd6UDc.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_WMiHxZgr5Hdd6UDc.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_ovtmbuX3ENJ119uH.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_ovtmbuX3ENJ119uH.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_r7NFD65BgeDMqD23.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_r7NFD65BgeDMqD23.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_sM25jC0Ku0QcGkDa.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1220Z_sM25jC0Ku0QcGkDa.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_4iD2boYSOwmb6sWd.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_4iD2boYSOwmb6sWd.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_QqgbBkK0L13H8Wbv.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_QqgbBkK0L13H8Wbv.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_RL8g7SsRoNFvvVBW.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_RL8g7SsRoNFvvVBW.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_qWyTCPHzELqDMshA.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_qWyTCPHzELqDMshA.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_vMAR90Iiaqr6M5sR.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1225Z_vMAR90Iiaqr6M5sR.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_04rtp9DpvIpSZzMr.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_04rtp9DpvIpSZzMr.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9JM8uKEITHqwJKXr.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9JM8uKEITHqwJKXr.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9SJSsrxJ0ChF5VFb.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9SJSsrxJ0ChF5VFb.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9dKPuRzdLzqZRjqm.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_9dKPuRzdLzqZRjqm.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_AvIajGd5rkz6vTy4.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_AvIajGd5rkz6vTy4.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_GyyPwrInk2rgv8V0.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_GyyPwrInk2rgv8V0.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_KV9LZlfXqBel7nqf.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_KV9LZlfXqBel7nqf.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_OU6Ha25B4GGhUIMr.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_OU6Ha25B4GGhUIMr.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_ZtUNbBkwAu98FPZb.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_ZtUNbBkwAu98FPZb.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_lHgkh3VeI3XnjZSL.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_lHgkh3VeI3XnjZSL.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_s2m4APJ8BhmXSIE6.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_s2m4APJ8BhmXSIE6.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_soULWstxp7lqsODg.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1230Z_soULWstxp7lqsODg.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_Vp7r3boWJKtPb3wM.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_Vp7r3boWJKtPb3wM.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_YbVFCP9AYzJDhHV9.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_YbVFCP9AYzJDhHV9.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_kboLbHJlz2H6cLyo.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1235Z_kboLbHJlz2H6cLyo.json -------------------------------------------------------------------------------- /CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1240Z_C1qUFaqvZS64BcIN.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/CloudTrail/218007301253_CloudTrail_us-east-1_20230710T1240Z_C1qUFaqvZS64BcIN.json -------------------------------------------------------------------------------- /Images/AttackEnvironment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Images/AttackEnvironment.png -------------------------------------------------------------------------------- /Images/AutomatedResearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Images/AutomatedResearch.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/README.md -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_attached_malicious_lambda_layer.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_attached_malicious_lambda_layer.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_cloudtrail_disable_logging.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_cloudtrail_disable_logging.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_config_disable_recording.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_config_disable_recording.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_delete_identity.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_delete_identity.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_ec2_disable_encryption.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_ec2_disable_encryption.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_ec2_startup_script_change.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_ec2_startup_script_change.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_ec2_vm_export_failure.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_ec2_vm_export_failure.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_ecs_task_definition_cred_endpoint_query.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_ecs_task_definition_cred_endpoint_query.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_efs_fileshare_modified_or_deleted.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_efs_fileshare_modified_or_deleted.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_efs_fileshare_mount_modified_or_deleted.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_efs_fileshare_mount_modified_or_deleted.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_eks_cluster_created_or_deleted.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_eks_cluster_created_or_deleted.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_elasticache_security_group_created.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_elasticache_security_group_created.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_elasticache_security_group_modified_or_deleted.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_elasticache_security_group_modified_or_deleted.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_enum_buckets.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_enum_buckets.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_guardduty_disruption.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_guardduty_disruption.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_iam_backdoor_users_keys.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_iam_backdoor_users_keys.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_passed_role_to_glue_development_endpoint.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_passed_role_to_glue_development_endpoint.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_rds_change_master_password.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_rds_change_master_password.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_rds_public_db_restore.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_rds_public_db_restore.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_root_account_usage.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_root_account_usage.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_route_53_domain_transferred_lock_disabled.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_route_53_domain_transferred_lock_disabled.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_route_53_domain_transferred_to_another_account.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_route_53_domain_transferred_to_another_account.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_s3_data_management_tampering.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_s3_data_management_tampering.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_securityhub_finding_evasion.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_securityhub_finding_evasion.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_snapshot_backup_exfiltration.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_snapshot_backup_exfiltration.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_sts_assumerole_misuse.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_sts_assumerole_misuse.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_sts_getsessiontoken_misuse.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_sts_getsessiontoken_misuse.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_susp_saml_activity.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_susp_saml_activity.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/aws_update_login_profile.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/aws_update_login_profile.sql -------------------------------------------------------------------------------- /Sigma Athena SQL/unsuported-aws/aws_ec2_download_userdata.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/unsuported-aws/aws_ec2_download_userdata.txt -------------------------------------------------------------------------------- /Sigma Athena SQL/unsuported-aws/aws_enum_backup.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/unsuported-aws/aws_enum_backup.txt -------------------------------------------------------------------------------- /Sigma Athena SQL/unsuported-aws/aws_enum_listing.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/unsuported-aws/aws_enum_listing.txt -------------------------------------------------------------------------------- /Sigma Athena SQL/unsuported-aws/aws_enum_network.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/unsuported-aws/aws_enum_network.txt -------------------------------------------------------------------------------- /Sigma Athena SQL/unsuported-aws/aws_enum_storage.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Sigma Athena SQL/unsuported-aws/aws_enum_storage.txt -------------------------------------------------------------------------------- /SigmaHQ AWS/README.MD: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/README.MD -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_attached_malicious_lambda_layer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_attached_malicious_lambda_layer.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_cloudtrail_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_cloudtrail_disable_logging.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_config_disable_recording.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_config_disable_recording.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_delete_identity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_delete_identity.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_ec2_disable_encryption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_ec2_disable_encryption.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_ec2_startup_script_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_ec2_startup_script_change.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_ec2_vm_export_failure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_ec2_vm_export_failure.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_ecs_task_definition_cred_endpoint_query.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_ecs_task_definition_cred_endpoint_query.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_efs_fileshare_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_efs_fileshare_modified_or_deleted.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_efs_fileshare_mount_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_efs_fileshare_mount_modified_or_deleted.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_eks_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_eks_cluster_created_or_deleted.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_elasticache_security_group_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_elasticache_security_group_created.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_elasticache_security_group_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_elasticache_security_group_modified_or_deleted.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_enum_buckets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_enum_buckets.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_guardduty_disruption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_guardduty_disruption.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_iam_backdoor_users_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_iam_backdoor_users_keys.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_passed_role_to_glue_development_endpoint.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_passed_role_to_glue_development_endpoint.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_rds_change_master_password.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_rds_change_master_password.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_rds_public_db_restore.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_rds_public_db_restore.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_root_account_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_root_account_usage.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_route_53_domain_transferred_lock_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_route_53_domain_transferred_lock_disabled.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_route_53_domain_transferred_to_another_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_route_53_domain_transferred_to_another_account.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_s3_data_management_tampering.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_s3_data_management_tampering.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_securityhub_finding_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_securityhub_finding_evasion.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_snapshot_backup_exfiltration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_snapshot_backup_exfiltration.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_sts_assumerole_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_sts_assumerole_misuse.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_sts_getsessiontoken_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_sts_getsessiontoken_misuse.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_susp_saml_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_susp_saml_activity.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/aws_update_login_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/aws_update_login_profile.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_ec2_download_userdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_ec2_download_userdata.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_enum_backup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_enum_backup.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_enum_listing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_enum_listing.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_enum_network.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_enum_network.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_enum_storage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_enum_storage.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_lambda_function_created_or_invoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_lambda_function_created_or_invoked.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_macic_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_macic_evasion.yml -------------------------------------------------------------------------------- /SigmaHQ AWS/unsupported/aws_ses_messaging_enabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/SigmaHQ AWS/unsupported/aws_ses_messaging_enabled.yml -------------------------------------------------------------------------------- /Splunk queries/aws_attached_malicious_lambda_layer.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_attached_malicious_lambda_layer.spl -------------------------------------------------------------------------------- /Splunk queries/aws_cloudtrail_disable_logging.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_cloudtrail_disable_logging.spl -------------------------------------------------------------------------------- /Splunk queries/aws_config_disable_recording.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_config_disable_recording.spl -------------------------------------------------------------------------------- /Splunk queries/aws_delete_identity.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_delete_identity.spl -------------------------------------------------------------------------------- /Splunk queries/aws_ec2_disable_encryption.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_ec2_disable_encryption.spl -------------------------------------------------------------------------------- /Splunk queries/aws_ec2_startup_script_change.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_ec2_startup_script_change.spl -------------------------------------------------------------------------------- /Splunk queries/aws_ec2_vm_export_failure.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_ec2_vm_export_failure.spl -------------------------------------------------------------------------------- /Splunk queries/aws_ecs_task_definition_cred_endpoint_query.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_ecs_task_definition_cred_endpoint_query.spl -------------------------------------------------------------------------------- /Splunk queries/aws_efs_fileshare_modified_or_deleted.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_efs_fileshare_modified_or_deleted.spl -------------------------------------------------------------------------------- /Splunk queries/aws_efs_fileshare_mount_modified_or_deleted.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_efs_fileshare_mount_modified_or_deleted.spl -------------------------------------------------------------------------------- /Splunk queries/aws_eks_cluster_created_or_deleted.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_eks_cluster_created_or_deleted.spl -------------------------------------------------------------------------------- /Splunk queries/aws_elasticache_security_group_created.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_elasticache_security_group_created.spl -------------------------------------------------------------------------------- /Splunk queries/aws_elasticache_security_group_modified_or_deleted.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_elasticache_security_group_modified_or_deleted.spl -------------------------------------------------------------------------------- /Splunk queries/aws_enum_buckets.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_enum_buckets.spl -------------------------------------------------------------------------------- /Splunk queries/aws_guardduty_disruption.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_guardduty_disruption.spl -------------------------------------------------------------------------------- /Splunk queries/aws_iam_backdoor_users_keys.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_iam_backdoor_users_keys.spl -------------------------------------------------------------------------------- /Splunk queries/aws_passed_role_to_glue_development_endpoint.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_passed_role_to_glue_development_endpoint.spl -------------------------------------------------------------------------------- /Splunk queries/aws_rds_change_master_password.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_rds_change_master_password.spl -------------------------------------------------------------------------------- /Splunk queries/aws_rds_public_db_restore.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_rds_public_db_restore.spl -------------------------------------------------------------------------------- /Splunk queries/aws_root_account_usage.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_root_account_usage.spl -------------------------------------------------------------------------------- /Splunk queries/aws_route_53_domain_transferred_lock_disabled.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_route_53_domain_transferred_lock_disabled.spl -------------------------------------------------------------------------------- /Splunk queries/aws_route_53_domain_transferred_to_another_account.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_route_53_domain_transferred_to_another_account.spl -------------------------------------------------------------------------------- /Splunk queries/aws_s3_data_management_tampering.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_s3_data_management_tampering.spl -------------------------------------------------------------------------------- /Splunk queries/aws_securityhub_finding_evasion.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_securityhub_finding_evasion.spl -------------------------------------------------------------------------------- /Splunk queries/aws_snapshot_backup_exfiltration.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_snapshot_backup_exfiltration.spl -------------------------------------------------------------------------------- /Splunk queries/aws_sts_assumerole_misuse.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_sts_assumerole_misuse.spl -------------------------------------------------------------------------------- /Splunk queries/aws_sts_getsessiontoken_misuse.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_sts_getsessiontoken_misuse.spl -------------------------------------------------------------------------------- /Splunk queries/aws_susp_saml_activity.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_susp_saml_activity.spl -------------------------------------------------------------------------------- /Splunk queries/aws_update_login_profile.spl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/Splunk queries/aws_update_login_profile.spl -------------------------------------------------------------------------------- /translator/FixSigmaToAthena.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/invictus-ir/Sigma-AWS/HEAD/translator/FixSigmaToAthena.py --------------------------------------------------------------------------------