Sigma rules for CVE-2021-36786
3 rules · scoped to cve · back to CVE-2021-36786
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1606
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'tokenIssuerAnomaly'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.stealth
- attack.t1078.004
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.t1531
- attack.impact
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'DeleteSAMLProvider'
status: 'success'
condition: selection
falsepositives:
- Automated processes using tools like Terraform may trigger this alert.
- Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
- Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium
title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021-09-22
modified: 2022-12-18
tags:
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection_sts:
eventSource: 'sts.amazonaws.com'
eventName: 'AssumeRoleWithSAML'
selection_iam:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateSAMLProvider'
condition: 1 of selection_*
falsepositives:
- Automated processes that uses Terraform may lead to false positives.
- SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium