Home/route/Sigma rules
Sigma

Sigma rules for route

7 rules · scoped to tool · back to route
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

7 of 7
direct medium
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
status test author jamesc-grafana id c803b2ce-c4a2-4836-beae-b112010390b1 license Sigma · DRL-1.1
view Sigma YAML 
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
    Detects the addition of a new network route to a route table in AWS.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateRoute'
    condition: selection
falsepositives:
    - New VPC Creation requiring setup of a new route table
    - New subnets added requiring routing setup
level: medium
direct medium
Azure Virtual Network Device Modified or Deleted
Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
status test author Austin Songer @austinsonger id 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 license Sigma · DRL-1.1
view Sigma YAML 
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
status: test
description: |
    Identifies when a virtual network device is being modified or deleted.
    This can be a network interface, network virtual appliance, virtual hub, or virtual router.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
    - attack.impact
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
            - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
            - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
            - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
            - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
            - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
            - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
            - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
            - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
            - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
            - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
    condition: selection
falsepositives:
    - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
direct medium
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
status test author Rafal Piasecki id 70b4156e-50fc-4523-aa50-c9dddf1993fc license Sigma · DRL-1.1
view Sigma YAML 
title: Bpfdoor TCP Ports Redirect
id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
status: test
description: |
    All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
    The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
references:
    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
author: Rafal Piasecki
date: 2022-08-10
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    cmd:
        type: 'EXECVE'
        a0|endswith: 'iptables'
        a1: '-t'
        a2: 'nat'
    keywords:
        - '--to-ports 42'
        - '--to-ports 43'
    condition: cmd and keywords
falsepositives:
    - Legitimate ports redirect
level: medium
direct medium
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
status experimental author hamid id d22df9cd-2aee-4089-93c7-9dc4eae77f2c license Sigma · DRL-1.1
view Sigma YAML 
title: ISATAP Router Address Was Set
id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
status: experimental
description: |
    Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
    In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
    This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
references:
    - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
    - https://redfoxsec.com/blog/ipv6-dns-takeover/
    - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
    - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
author: hamid
date: 2025-10-19
tags:
    - attack.impact
    - attack.credential-access
    - attack.collection
    - attack.initial-access
    - attack.privilege-escalation
    - attack.execution
    - attack.t1557
    - attack.t1565.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 4100
        Provider_Name: 'Microsoft-Windows-Iphlpsvc'
    filter_main_localhost:
        IsatapRouter:
            - '127.0.0.1'
            - '::1'
    filter_optional_null:
        IsatapRouter: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate ISATAP router configuration in enterprise environments
    - IPv6 transition projects and network infrastructure changes
    - Network administrators configuring dual-stack networking
    - Automatic ISATAP configuration in some Windows deployments
level: medium
direct low
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
status test author Elastic, Austin Songer @austinsonger id 3940b5f1-3f46-44aa-b746-ebe615b879e0 license Sigma · DRL-1.1
view Sigma YAML 
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
status: test
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
references:
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: route53.amazonaws.com
        eventName: DisableDomainTransferLock
    condition: selection
falsepositives:
    - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
direct low
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
status test author jamesc-grafana id e1f7febb-7b94-4234-b5c6-00fb8500f5dd license Sigma · DRL-1.1
view Sigma YAML 
title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateNetworkAclEntry'
    condition: selection
falsepositives:
    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low
direct low
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
status test author Elastic, Austin Songer @austinsonger id b056de1a-6e6e-4e40-a67e-97c9808cf41b license Sigma · DRL-1.1
view Sigma YAML 
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
status: test
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
references:
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: route53.amazonaws.com
        eventName: TransferDomainToAnotherAwsAccount
    condition: selection
falsepositives:
    - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin