Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add detection rule for importing KMS key material, usable for AWS ran… #5193

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add detection rule for importing KMS key material, usable for AWS ran… #5193

wants to merge 1 commit into from

Conversation

toopricey
Copy link

@toopricey toopricey commented Feb 12, 2025
edited
Loading

Summary of the Pull Request

This detection rule aims to detect AWS ransomware via imported key material, see https://www.chrisfarris.com/post/effective-aws-ransomware/. This is an AWS KMS feature that very few organizations will use, so this rule should be very high signal.

Changelog

new: AWS KMS Key Material Importing rule created

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label Feb 12, 2025
github-actions[bot]
github-actions bot reviewed Feb 12, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @toopricey 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench
Copy link
Member

Hey @toopricey thanks for this PR. Could perhaps provide log example so that we could easily review your submission.

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@toopricey @nasbench