Home/CVE-2020-27978/Sigma rules
Sigma

Sigma rules for CVE-2020-27978

2 rules · scoped to cve · back to CVE-2020-27978
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct high
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
status test author Michael McIntyre @wtfender id d3adb3ef-b7e7-4003-9092-1924c797db35 license Sigma · DRL-1.1
view Sigma YAML 
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource:
            - 'sso-directory.amazonaws.com'
            - 'sso.amazonaws.com'
        eventName:
            - 'AssociateDirectory'
            - 'DisableExternalIdPConfigurationForDirectory'
            - 'DisassociateDirectory'
            - 'EnableExternalIdPConfigurationForDirectory'
    condition: selection
falsepositives:
    - Authorized changes to the AWS account's identity provider
level: high
direct medium
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
status test author kelnage id 969c7590-8c19-4797-8c1b-23155de6e7ac license Sigma · DRL-1.1
view Sigma YAML 
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.001
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: 'system.idp.lifecycle.create'
    condition: selection
falsepositives:
    - When an admin creates a new, authorised identity provider.
level: medium
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh