Sigma rules for CVE-2019-19781
201 rules · scoped to cve · back to CVE-2019-19781
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Possible DCSync Attack
id: 56fda488-113e-4ce9-8076-afc2457922c3
status: test
description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1033
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
filter:
OpNum:
- 0
- 1
- 12
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1569.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
condition: selection
falsepositives:
- Administrative tasks on remote services
level: high
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1112
- attack.persistence
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection
falsepositives:
- Remote administration of registry values
level: high
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.003
- attack.t1047
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046
condition: selection
falsepositives:
- Some administrative tasks on remote host
level: high
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: nodejs
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'node:child_process'
condition: keywords
falsepositives:
- Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
- https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
- https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1556
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_advanced_security.disabled_for_new_repos'
- 'business_advanced_security.disabled_for_new_user_namespace_repos'
- 'business_advanced_security.disabled'
- 'business_advanced_security.user_namespace_repos_disabled'
- 'org.advanced_security_disabled_for_new_repos'
- 'org.advanced_security_disabled_on_all_repos'
- 'org.advanced_security_policy_selected_member_disabled'
- 'org.disable_oauth_app_restrictions'
- 'org.disable_two_factor_requirement'
- 'repo.advanced_security_disabled'
condition: selection
falsepositives:
- Approved administrator/owner activities.
level: high
title: Outdated Dependency Or Vulnerability Alert Disabled
id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
status: test
description: |
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
tags:
- attack.initial-access
- attack.t1195.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'dependabot_alerts_new_repos.disable'
- 'dependabot_alerts.disable'
- 'dependabot_security_updates_new_repos.disable'
- 'dependabot_security_updates.disable'
- 'repository_vulnerability_alerts.disable'
condition: selection
falsepositives:
- Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
- https://linux.die.net/man/1/truncate
- https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: macos
category: process_creation
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*
falsepositives:
- Legitimate script work
level: high
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
- https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.t1059.007
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection_main:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'eval'
- 'NSData.dataWithContentsOfURL'
selection_js:
- CommandLine|contains|all:
- ' -l '
- 'JavaScript'
- CommandLine|contains: '.js'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Clipboard Data Collection Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible collection of data from the clipboard via execution of the osascript binary
references:
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.collection
- attack.execution
- attack.t1115
- attack.t1059.002
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'clipboard'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'CreateUser'
- 'CreateAccessKey'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
- https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource:
- 'sso-directory.amazonaws.com'
- 'sso.amazonaws.com'
eventName:
- 'AssociateDirectory'
- 'DisableExternalIdPConfigurationForDirectory'
- 'DisassociateDirectory'
- 'EnableExternalIdPConfigurationForDirectory'
condition: selection
falsepositives:
- Authorized changes to the AWS account's identity provider
level: high
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1059.004
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
requestParameters.attribute: 'userData'
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.t1078.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.arn|re: '.+:assumed-role/aws:.+'
filter_main_generic:
- eventSource: 'ssm.amazonaws.com'
- eventName: 'RegisterManagedInstance'
- sourceIPAddress: 'AWS Internal'
condition: selection and not 1 of filter_main_*
falsepositives:
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.stealth
- attack.t1059.009
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selection
falsepositives:
- Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
- attack.impact
- attack.t1486
- attack.resource-development
- attack.t1608.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selection
falsepositives:
- Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
- Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high
title: Suspicious Inbox Forwarding Identity Protection
id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
status: test
description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1114.003
- attack.collection
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousInboxForwarding'
condition: selection
falsepositives:
- A legitimate forwarding rule.
level: high
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Password Spray Activity
id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
status: test
description: Indicates that a password spray attack has been successfully performed.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1110
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'passwordSpray'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'riskyIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Suspicious Browser Activity
id: 944f6adb-7a99-4c69-80c1-b712579e93e6
status: test
description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousBrowser'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Primary Refresh Token Access Attempt
id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
status: test
description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'attemptedPrtAccess'
condition: selection
falsepositives:
- This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
level: high
title: New Country
id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
status: test
description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'newCountry'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1606
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'tokenIssuerAnomaly'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unfamiliarFeatures'
condition: selection
falsepositives:
- User changing to a new device, location, browser, etc.
level: high
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unlikelyTravel'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Anonymous IP Address
id: 53acd925-2003-440d-a1f3-71a5253fe237
status: test
description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
references:
- https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
author: Gloria Lee, '@gleeiamglo'
date: 2023-08-22
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anonymizedIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousUserActivity'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'impossibleTravel'
condition: selection
falsepositives:
- Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
userAgent|contains:
- 'BAV2ROPC'
- 'CBAinPROD'
- 'CBAinTAR'
condition: selection
falsepositives:
- Known Legacy Accounts
level: high
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious SignIns From A Non Registered Device
id: 572b12d4-9062-11ed-a1eb-0242ac120002
status: test
description: Detects risky authentication from a non AD registered device without MFA being required.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-10
modified: 2025-07-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_main:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
RiskState: 'atRisk'
selection_empty1:
DeviceDetail.trusttype: ''
selection_empty2:
DeviceDetail.trusttype: null
condition: selection_main and 1 of selection_empty*
falsepositives:
- Unknown
level: high
title: Sign-in Failure Due to Conditional Access Requirements Not Met
id: b4a6d707-9430-4f5f-af68-0337f52d5c42
status: test
description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
Resultdescription: Blocked by Conditional Access
condition: selection
falsepositives:
- Service Account misconfigured
- Misconfigured Systems
- Vulnerability Scanners
level: high
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
status: test
description: Monitor and alert for sign-ins where the device was non-compliant.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
DeviceDetail.isCompliant: 'false'
condition: selection
falsepositives:
- Unknown
level: high
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ActivityDetails: Sign-ins
ClientApp:
- Other client
- IMAP
- POP3
- MAPI
- SMTP
- Exchange ActiveSync
- Exchange Web Services
Username: 'UPN'
condition: selection
falsepositives:
- User has been put in acception group so they can use legacy authentication
level: high