Sigma rules for CVE-2021-34473
200 rules · scoped to cve · back to CVE-2021-34473
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
- https://linux.die.net/man/1/truncate
- https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: macos
category: process_creation
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*
falsepositives:
- Legitimate script work
level: high
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
- https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.t1059.007
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection_main:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'eval'
- 'NSData.dataWithContentsOfURL'
selection_js:
- CommandLine|contains|all:
- ' -l '
- 'JavaScript'
- CommandLine|contains: '.js'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Clipboard Data Collection Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible collection of data from the clipboard via execution of the osascript binary
references:
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.collection
- attack.execution
- attack.t1115
- attack.t1059.002
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'clipboard'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'CreateUser'
- 'CreateAccessKey'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
- https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource:
- 'sso-directory.amazonaws.com'
- 'sso.amazonaws.com'
eventName:
- 'AssociateDirectory'
- 'DisableExternalIdPConfigurationForDirectory'
- 'DisassociateDirectory'
- 'EnableExternalIdPConfigurationForDirectory'
condition: selection
falsepositives:
- Authorized changes to the AWS account's identity provider
level: high
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1059.004
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
requestParameters.attribute: 'userData'
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high
title: Modification or Deletion of an AWS RDS Cluster
id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
status: experimental
description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
references:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
author: Ivan Saakov
date: 2024-12-06
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: rds.amazonaws.com
eventName:
- ModifyDBCluster
- DeleteDBCluster
condition: selection
falsepositives:
- Verify if the modification or deletion was performed by an authorized administrator.
- Confirm if the modification or deletion was part of a planned change or maintenance activity.
level: high
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.t1078.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.arn|re: '.+:assumed-role/aws:.+'
filter_main_generic:
- eventSource: 'ssm.amazonaws.com'
- eventName: 'RegisterManagedInstance'
- sourceIPAddress: 'AWS Internal'
condition: selection and not 1 of filter_main_*
falsepositives:
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: test
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.publiclyAccessible: 'true'
eventName: RestoreDBInstanceFromDBSnapshot
condition: selection_source
falsepositives:
- Unknown
level: high
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.stealth
- attack.t1059.009
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selection
falsepositives:
- Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
- attack.impact
- attack.t1486
- attack.resource-development
- attack.t1608.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selection
falsepositives:
- Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
- Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high
title: Suspicious Inbox Forwarding Identity Protection
id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
status: test
description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1114.003
- attack.collection
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousInboxForwarding'
condition: selection
falsepositives:
- A legitimate forwarding rule.
level: high
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Password Spray Activity
id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
status: test
description: Indicates that a password spray attack has been successfully performed.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1110
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'passwordSpray'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'riskyIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Suspicious Browser Activity
id: 944f6adb-7a99-4c69-80c1-b712579e93e6
status: test
description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousBrowser'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Primary Refresh Token Access Attempt
id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
status: test
description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'attemptedPrtAccess'
condition: selection
falsepositives:
- This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
level: high
title: New Country
id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
status: test
description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'newCountry'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1606
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'tokenIssuerAnomaly'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unfamiliarFeatures'
condition: selection
falsepositives:
- User changing to a new device, location, browser, etc.
level: high
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unlikelyTravel'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Anonymous IP Address
id: 53acd925-2003-440d-a1f3-71a5253fe237
status: test
description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
references:
- https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
author: Gloria Lee, '@gleeiamglo'
date: 2023-08-22
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anonymizedIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousUserActivity'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'impossibleTravel'
condition: selection
falsepositives:
- Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
userAgent|contains:
- 'BAV2ROPC'
- 'CBAinPROD'
- 'CBAinTAR'
condition: selection
falsepositives:
- Known Legacy Accounts
level: high
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious SignIns From A Non Registered Device
id: 572b12d4-9062-11ed-a1eb-0242ac120002
status: test
description: Detects risky authentication from a non AD registered device without MFA being required.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-10
modified: 2025-07-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_main:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
RiskState: 'atRisk'
selection_empty1:
DeviceDetail.trusttype: ''
selection_empty2:
DeviceDetail.trusttype: null
condition: selection_main and 1 of selection_empty*
falsepositives:
- Unknown
level: high
title: Sign-in Failure Due to Conditional Access Requirements Not Met
id: b4a6d707-9430-4f5f-af68-0337f52d5c42
status: test
description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
Resultdescription: Blocked by Conditional Access
condition: selection
falsepositives:
- Service Account misconfigured
- Misconfigured Systems
- Vulnerability Scanners
level: high
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
status: test
description: Monitor and alert for sign-ins where the device was non-compliant.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
DeviceDetail.isCompliant: 'false'
condition: selection
falsepositives:
- Unknown
level: high
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ActivityDetails: Sign-ins
ClientApp:
- Other client
- IMAP
- POP3
- MAPI
- SMTP
- Exchange ActiveSync
- Exchange Web Services
Username: 'UPN'
condition: selection
falsepositives:
- User has been put in acception group so they can use legacy authentication
level: high
title: Roles Assigned Outside PIM
id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
status: test
description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
condition: selection
falsepositives:
- Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
level: high
title: Roles Activated Too Frequently
id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
status: test
description: Identifies when the same privilege role has multiple activations by the same user.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'sequentialActivationRenewalsAlertIncident'
condition: selection
falsepositives:
- Investigate where if active time period for a role is set too short.
level: high
title: Roles Activation Doesn't Require MFA
id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
status: test
description: Identifies when a privilege role can be activated without performing mfa.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'noMfaOnRoleActivationAlertIncident'
condition: selection
falsepositives:
- Investigate if user is performing MFA at sign-in.
level: high
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
condition: selection
falsepositives:
- Investigate if threshold setting in PIM is too low.
level: high
title: Stale Accounts In A Privileged Role
id: e402c26a-267a-45bd-9615-bd9ceda6da85
status: test
description: Identifies when an account hasn't signed in during the past n number of days.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'staleSignInAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
title: Roles Are Not Being Used
id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
status: test
description: Identifies when a user has been assigned a privilege role and are not using that role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'redundantAssignmentAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
title: Invalid PIM License
id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
status: test
description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'invalidLicenseAlertIncident'
condition: selection
falsepositives:
- Investigate if licenses have expired.
level: high