Sigma
Sigma rules for CVE-2021-25351
42 rules · scoped to cve · back to CVE-2021-25351
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
42 of 42
direct
critical
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
view Sigma YAML
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Unknown
level: critical
direct
high
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
view Sigma YAML
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
view Sigma YAML
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
direct
high
Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
view Sigma YAML
title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of removing members from a role
level: high
direct
high
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
view Sigma YAML
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitimate temporary access pass
level: high
direct
high
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
view Sigma YAML
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
direct
high
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
view Sigma YAML
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
direct
high
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
view Sigma YAML
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
- https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
- https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_base_name:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_base_list:
CommandLine|contains: 'list '
selection_standalone:
CommandLine|contains:
- ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
- ' /xml'
# We cover the "-" version just in case :)
- ' -config'
- ' -xml'
selection_cmd_flags:
CommandLine|contains:
- ' /@t' # Covers both "/@text:*" and "/@t:*"
- ' /text'
- ' /show'
# We cover the "-" version just in case :)
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- ':\*'
- 'password'
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
- Unknown
level: high
direct
high
MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
view Sigma YAML
title: MSSQL Add Account To Sysadmin Role
id: 08200f85-2678-463e-9c32-88dce2f073d1
status: test
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.persistence
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
- 'object_name:sysadmin'
- 'statement:alter server role [sysadmin] add member '
condition: selection
falsepositives:
- Rare legitimate administrative activity
level: high
direct
high
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
view Sigma YAML
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
- https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019-10-31
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136.001
- attack.t1136.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
SamAccountName|contains|all:
- 'ANONYMOUS'
- 'LOGON'
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password.
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.
Attackers may change the password in order to obtain persistence.
view Sigma YAML
title: Password Change on Directory Service Restore Mode (DSRM) Account
id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
related:
- id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
type: similar
status: stable
description: |
Detects potential attempts made to set the Directory Services Restore Mode administrator password.
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.
Attackers may change the password in order to obtain persistence.
references:
- https://adsecurity.org/?p=1714
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
author: Thomas Patzke
date: 2017-02-19
modified: 2020-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection:
EventID: 4794
condition: selection
falsepositives:
- Initial installation of a domain controller.
level: high
direct
high
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
view Sigma YAML
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
direct
high
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key
id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
related:
- id: 8a58209c-7ae6-4027-afb0-307a78e4589a
type: obsolete
- id: 9ec9fb1b-e059-4489-9642-f270c207923d
type: similar
status: test
description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-07-12
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
direct
high
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
view Sigma YAML
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
- https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
TargetObject|endswith: '$\(Default)'
Image|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
direct
medium
Okta User Account Locked Out
Detects when an user account is locked out.
view Sigma YAML
title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
status: test
description: Detects when an user account is locked out.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
- attack.t1531
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: Max sign in attempts exceeded
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
view Sigma YAML
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
direct
medium
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
view Sigma YAML
title: Account Disabled or Blocked for Sign in Attempts
id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd
status: test
description: Detects when an account is disabled or blocked for sign in but tried to log in
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: Failure
condition: selection
falsepositives:
- Account disabled or blocked in error
- Automation account has been blocked or disabled
level: medium
direct
medium
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
view Sigma YAML
title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: test
description: Detect failed attempts to sign in to disabled accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
view Sigma YAML
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: test
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50053
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Password Reset By User Account
Detect when a user has reset their password in Azure AD
view Sigma YAML
title: Password Reset By User Account
id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
status: test
description: Detect when a user has reset their password in Azure AD
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: YochanaHenderson, '@Yochana-H'
date: 2022-08-03
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
Status: 'Success'
Initiatedby: 'UPN'
filter:
Target|contains: 'UPN'
ActivityType|contains: 'Password reset'
condition: selection and filter
falsepositives:
- If this was approved by System Administrator or confirmed user action.
level: medium
direct
medium
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
view Sigma YAML
title: Multi Factor Authentication Disabled For User Account
id: b18454c8-0be3-41f7-86bc-9c614611b839
status: test
description: |
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
references:
- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-21
tags:
- attack.credential-access
- attack.persistence
logsource:
product: azure
service: auditlogs
definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
detection:
selection:
LoggedByService: 'Core Directory'
Category: 'UserManagement'
OperationName: 'Update user'
TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
condition: selection
falsepositives:
- Legitimate authorized activity.
level: medium
direct
medium
Privileged Account Creation
Detects when a new admin is created.
view Sigma YAML
title: Privileged Account Creation
id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
status: test
description: Detects when a new admin is created.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
date: 2022-08-11
modified: 2022-08-16
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selection
falsepositives:
- A legitimate new admin account being created
level: medium
direct
medium
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
view Sigma YAML
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1531
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
direct
medium
Granting Of Permissions To An Account
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
view Sigma YAML
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
falsepositives:
- Valid change
level: medium
direct
medium
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
view Sigma YAML
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
status: test
description: Identifies when a service account is modified in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
falsepositives:
- Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
direct
medium
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
view Sigma YAML
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.disable
- .serviceAccounts.delete
condition: selection
falsepositives:
- Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
direct
medium
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
view Sigma YAML
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
direct
medium
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
view Sigma YAML
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
- https://access.redhat.com/articles/4409591#audit-record-types-2
- https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
- attack.t1136.001
- attack.persistence
logsource:
product: linux
service: auditd
detection:
selection_syscall_record_type:
type: 'SYSCALL'
exe|endswith: '/useradd'
selection_add_user_record_type:
type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
condition: 1 of selection_*
falsepositives:
- Admin activity
level: medium
direct
medium
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
view Sigma YAML
title: FortiGate - New Administrator Account Created
id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
status: experimental
description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
references:
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: fortigate
service: event
detection:
selection:
action: 'Add'
cfgpath: 'system.admin'
condition: selection
falsepositives:
- An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
level: medium
direct
medium
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
view Sigma YAML
title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
view Sigma YAML
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Remove-ADGroupMember'
- '-Identity '
- '-Members '
condition: selection
falsepositives:
- Unknown
level: medium
direct
medium
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
view Sigma YAML
title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'powershell_ise.exe'
selection_cli:
CommandLine|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
direct
medium
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
view Sigma YAML
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
# Covers group and localgroup flags
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_group_flags:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
- ' /do' # short for domain
filter_group_add:
# This filter is added to avoid the potential case where the point is not recon but addition
CommandLine|contains: ' /add'
# Covers 'accounts' flag
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_accounts_flags:
CommandLine|contains: ' /do' # short for domain
condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
- Inventory tool runs
- Administrative activity
level: medium
direct
medium
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
id: 9ec9fb1b-e059-4489-9642-f270c207923d
related:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
type: similar
status: test
description: |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-14
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
- 'add'
- '/v'
- '/d 0'
condition: selection
falsepositives:
- System administrator activities
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
direct
medium
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
view Sigma YAML
title: New or Renamed User Account with '$' Character
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
status: test
description: |
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2024-01-16
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
service: security
detection:
selection_create:
EventID: 4720 # create user
SamAccountName|contains: '$'
selection_rename:
EventID: 4781 # rename user
NewTargetUserName|contains: '$'
filter_main_homegroup:
EventID: 4720
TargetUserName: 'HomeGroupUser$'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
direct
medium
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
view Sigma YAML
title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
selection:
EventID: 4662
# Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
# The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
AccessMask|endswith:
# Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
- '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
- '3?' # Read Property + Write Property
- '4?' # Read Property + Delete Tree
- '7?' # Read Property + Write Property + Delete Tree
- '9?' # Read Property + List Object
- 'B?' # Read Property + Write Property + List Object
- 'D?' # Read Property + Delete Tree + List Object
- 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
filter_main_machine_accounts:
SubjectUserName|endswith: '$' # Exclude machine accounts
filter_main_msql:
SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators configuring new users.
level: medium
direct
medium
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
view Sigma YAML
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
- https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 4656
AccessMask:
- '0x100000'
- '0x1010' # car.2019-04-004
- '0x1400'
- '0x1410' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- '143a' # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
- '1f3fff'
# - '0x1000' # minimum access requirements to query basic info from service
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter_main_service_account:
SubjectUserName|endswith: '$'
filter_main_generic:
ProcessName|contains:
# Legitimate AV and EDR solutions
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_wmiprvse:
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
AccessMask: '0x1410'
filter_optional_steam:
ProcessName|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
direct
medium
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
view Sigma YAML
title: Account Tampering - Suspicious Failed Logon Reasons
id: 9eb99343-d336-4020-a3cd-67f3819e68ee
status: test
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://twitter.com/SBousseaden/status/1101431884540710913
author: Florian Roth (Nextron Systems)
date: 2017-02-19
modified: 2025-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: windows
service: security
detection:
selection_eid:
EventID:
- 4625
- 4776
selection_status:
- Status:
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
- SubStatus:
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
filter:
SubjectUserSid: 'S-1-0-0'
condition: all of selection_* and not filter
falsepositives:
- User using a disabled account
level: medium
direct
low
OneLogin User Account Locked
Detects when an user account is locked or suspended.
view Sigma YAML
title: OneLogin User Account Locked
id: a717c561-d117-437e-b2d9-0118a7035d01
status: test
description: Detects when an user account is locked or suspended.
references:
- https://developers.onelogin.com/api-docs/1/events/event-resource/
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: onelogin
service: onelogin.events
detection:
selection1: # Locked via API
event_type_id: 532
selection2: # Locked via API
event_type_id: 553
selection3: # Suspended via API
event_type_id: 551
condition: 1 of selection*
falsepositives:
- System may lock or suspend user accounts.
level: low
direct
low
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
view Sigma YAML
title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
- id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
type: derived
status: test
description: |
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.persistence
- attack.t1136
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'serviceaccounts'
condition: selection
falsepositives:
- Unknown
level: low
direct
low
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
view Sigma YAML
title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
- https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
- attack.t1136.001
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection_dscl:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
selection_sysadminctl:
Image|endswith: '/sysadminctl'
CommandLine|contains: 'addUser'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
direct
low
Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
view Sigma YAML
title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.t1078.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
# By default the guest account is not active
- ' -guestAccount'
- ' on'
condition: selection
falsepositives:
- Unknown
level: low
Showing 1-42 of 42