Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
Show query
from * metadata _id, _index, _version | where eventSource=="iam.amazonaws.com" and (eventName in ("GetLoginProfile", "CreateLoginProfile")) and userAgent like "*S3 Browser*"AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
Show query
eventSource:iam.amazonaws.com AND (eventName:(GetLoginProfile OR CreateLoginProfile)) AND userAgent:*S3\ Browser*
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
Show query
any where eventSource:"iam.amazonaws.com" and eventName:"PutUserPolicy" and userAgent:"*S3 Browser*" and (requestParameters:"*\"arn:aws:s3:::<YOUR-BUCKET-NAME>/*\"*" and requestParameters:"*\"s3:GetObject\"*" and requestParameters:"*\"Allow\"*")
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
Show query
from * metadata _id, _index, _version | where eventSource=="iam.amazonaws.com" and eventName=="PutUserPolicy" and userAgent like "*S3 Browser*" and requestParameters like "*\"arn:aws:s3:::<YOUR-BUCKET-NAME>/*\"*" and requestParameters like "*\"s3:GetObject\"*" and requestParameters like "*\"Allow\"*"
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
Show query
eventSource:iam.amazonaws.com AND eventName:PutUserPolicy AND userAgent:*S3\ Browser* AND (requestParameters:*\"arn\:aws\:s3\:\:\:\<YOUR\-BUCKET\-NAME\>\/*\"* AND requestParameters:*\"s3\:GetObject\"* AND requestParameters:*\"Allow\"*)
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
Show query
any where eventSource:"iam.amazonaws.com" and (eventName like~ ("CreateUser", "CreateAccessKey")) and userAgent:"*S3 Browser*"AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
Show query
from * metadata _id, _index, _version | where eventSource=="iam.amazonaws.com" and (eventName in ("CreateUser", "CreateAccessKey")) and userAgent like "*S3 Browser*"AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
Show query
eventSource:iam.amazonaws.com AND (eventName:(CreateUser OR CreateAccessKey)) AND userAgent:*S3\ Browser*
AWS IAM Sensitive Operations via Lambda Execution Role
Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to
instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are
often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege
escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or
preparing EC2 instance profiles for lateral movement.
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
Show query
any where (eventSource like~ ("sso-directory.amazonaws.com", "sso.amazonaws.com")) and (eventName like~ ("AssociateDirectory", "DisableExternalIdPConfigurationForDirectory", "DisassociateDirectory", "EnableExternalIdPConfigurationForDirectory"))AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
Show query
from * metadata _id, _index, _version | where (eventSource in ("sso-directory.amazonaws.com", "sso.amazonaws.com")) and (eventName in ("AssociateDirectory", "DisableExternalIdPConfigurationForDirectory", "DisassociateDirectory", "EnableExternalIdPConfigurationForDirectory"))AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
Show query
(eventSource:(sso\-directory.amazonaws.com OR sso.amazonaws.com)) AND (eventName:(AssociateDirectory OR DisableExternalIdPConfigurationForDirectory OR DisassociateDirectory OR EnableExternalIdPConfigurationForDirectory))
AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
Show query
any where eventSource:"kms.amazonaws.com" and (eventName like~ ("ImportKeyMaterial", "DeleteImportedKeyMaterial"))AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
Show query
from * metadata _id, _index, _version | where eventSource=="kms.amazonaws.com" and (eventName in ("ImportKeyMaterial", "DeleteImportedKeyMaterial"))AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
Show query
eventSource:kms.amazonaws.com AND (eventName:(ImportKeyMaterial OR DeleteImportedKeyMaterial))
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
Detects when credentials issued through `AssumeRoleWithWebIdentity` for a Kubernetes service account identity are later
used for several distinct AWS control-plane actions on the same session access key. Workloads that use EKS IAM Roles
for Service Accounts routinely exchange a projected service-account token for short-lived IAM credentials; this rule
highlights sessions where that exchange is followed by a spread of sensitive APIs—reconnaissance, secrets and parameter
access, IAM changes, or compute creation—beyond what routine pod traffic usually shows. High-volume S3 object reads and
writes are excluded from the correlation set to reduce noise from normal data-plane work.
AWS Management Console Brute Force of Root User Identity
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
and resources for the AWS account.
AWS Rare Source AS Organization Activity
Surfaces an AWS identity whose successful API traffic is dominated by a small set of large cloud-provider source AS
organization labels, yet also shows a very small share of traffic from other AS organization names—including at least one
sensitive control-plane, credential, storage, or model-invocation action on that uncommon network path with recent
activity from the uncommon path. The intent is to highlight disproportionate “baseline” cloud egress versus sparse use
from rarer networks on the same principal, a shape that can appear when automation or CI credentials are reused or
pivoted outside their usual hosted-cloud footprint.
AWS Route 53 Domain Transfer Lock Disabled
Identifies when the transfer lock on an AWS Route 53 domain is disabled. The transfer lock protects domains from being
moved to another registrar or AWS account without authorization. Disabling this lock removes an important safeguard
against domain hijacking. Adversaries who gain access to domain-management permissions may disable the lock as a
precursor to unauthorized domain transfer, takeover, or service disruption.
AWS Route 53 Domain Transferred to Another Account
Identifies when an AWS Route 53 domain is transferred to another AWS account. Transferring a domain changes
administrative control of the DNS namespace, enabling the receiving account to modify DNS records, route traffic,
request certificates, and potentially hijack operational workloads. Adversaries who gain access to privileged IAM users
or long-lived credentials may leverage domain transfers to establish persistence, redirect traffic, conduct phishing, or
stage infrastructure for broader attacks. This rule detects successful domain transfer requests.
AWS STS GetFederationToken with AdministratorAccess in Request
Identifies successful calls to AWS STS GetFederationToken where request parameters reference AdministratorAccess. This API
returns temporary security credentials for a federated user with permissions bounded by the calling IAM user and any
inline session policy passed in the request. Supplying or referencing the AWS managed AdministratorAccess policy (or an
equivalent string in the policy payload) can grant broadly privileged temporary credentials and may indicate privilege
abuse or dangerous automation.
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
Show query
any where eventSource:"securityhub.amazonaws.com" and (eventName like~ ("BatchUpdateFindings", "DeleteInsight", "UpdateFindings", "UpdateInsight"))AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
Show query
from * metadata _id, _index, _version | where eventSource=="securityhub.amazonaws.com" and (eventName in ("BatchUpdateFindings", "DeleteInsight", "UpdateFindings", "UpdateInsight"))AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
Show query
eventSource:securityhub.amazonaws.com AND (eventName:(BatchUpdateFindings OR DeleteInsight OR UpdateFindings OR UpdateInsight))
AWS Sign-In Root Password Recovery Requested
Identifies a password recovery request for the AWS account root user.
In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event.
This alert indicates that someone initiated the root password reset workflow for this account. Verify whether this was an expected action and review identity provider notifications/email to confirm legitimacy.
AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
Show query
from * metadata _id, _index, _version | where eventSource=="iam.amazonaws.com" and eventName=="UpdateLoginProfile" and not userIdentity.arn==requestParameters.userName
Elastic
Converted
EQL
high
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
Show query
any where eventName:"DeleteFlowLogs" and (errorCode:"Success" or (?errorCode == null))
Elastic
Converted
ES|QL
high
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
Show query
from * metadata _id, _index, _version | where eventName=="DeleteFlowLogs" and (errorCode=="Success" or errorCode is null)
Elastic
Converted
Lucene
high
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
Show query
eventName:DeleteFlowLogs AND (errorCode:Success OR (NOT _exists_:errorCode))
AWS VPC Flow Logs Deletion
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Show query
any where (ImageLoaded like~ ("*\\coreclr.dll", "*\\facesdk.dll", "*\\HPCustPartUI.dll", "*\\libcef.dll", "*\\ZIPDLL.dll")) and ((ImageLoaded like~ ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*\\Temporary Internet*", "*\\Windows\\Temp\\*")) or ((ImageLoaded:"*:\\Users\\*" and ImageLoaded:"*\\Favorites\\*") or (ImageLoaded:"*:\\Users\\*" and ImageLoaded:"*\\Favourites\\*") or (ImageLoaded:"*:\\Users\\*" and ImageLoaded:"*\\Contacts\\*") or (ImageLoaded:"*:\\Users\\*" and ImageLoaded:"*\\Pictures\\*")))Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Show query
from * metadata _id, _index, _version | where (ends_with(ImageLoaded, "\\coreclr.dll") or ends_with(ImageLoaded, "\\facesdk.dll") or ends_with(ImageLoaded, "\\HPCustPartUI.dll") or ends_with(ImageLoaded, "\\libcef.dll") or ends_with(ImageLoaded, "\\ZIPDLL.dll")) and (ImageLoaded like "*:\\Perflogs\\*" or ImageLoaded like "*:\\Users\\Public\\*" or ImageLoaded like "*\\Temporary Internet*" or ImageLoaded like "*\\Windows\\Temp\\*" or ImageLoaded like "*:\\Users\\*" and ImageLoaded like "*\\Favorites\\*" or ImageLoaded like "*:\\Users\\*" and ImageLoaded like "*\\Favourites\\*" or ImageLoaded like "*:\\Users\\*" and ImageLoaded like "*\\Contacts\\*" or ImageLoaded like "*:\\Users\\*" and ImageLoaded like "*\\Pictures\\*")
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Show query
(ImageLoaded:(*\\coreclr.dll OR *\\facesdk.dll OR *\\HPCustPartUI.dll OR *\\libcef.dll OR *\\ZIPDLL.dll)) AND ((ImageLoaded:(*\:\\Perflogs\\* OR *\:\\Users\\Public\\* OR *\\Temporary\ Internet* OR *\\Windows\\Temp\\*)) OR ((ImageLoaded:*\:\\Users\\* AND ImageLoaded:*\\Favorites\\*) OR (ImageLoaded:*\:\\Users\\* AND ImageLoaded:*\\Favourites\\*) OR (ImageLoaded:*\:\\Users\\* AND ImageLoaded:*\\Contacts\\*) OR (ImageLoaded:*\:\\Users\\* AND ImageLoaded:*\\Pictures\\*)))
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
any where (Image:"*\\pwsh.exe" or OriginalFileName:"pwsh.dll") and (CommandLine:"*Set-Service *" and CommandLine:"*DCLCWPDTSD*") and (CommandLine like~ ("*-SecurityDescriptorSddl *", "*-sd *"))Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\pwsh.exe") or OriginalFileName=="pwsh.dll") and CommandLine like "*Set-Service *" and CommandLine like "*DCLCWPDTSD*" and (CommandLine like "*-SecurityDescriptorSddl *" or CommandLine like "*-sd *")
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
(Image:*\\pwsh.exe OR OriginalFileName:pwsh.dll) AND (CommandLine:*Set\-Service\ * AND CommandLine:*DCLCWPDTSD*) AND (CommandLine:(*\-SecurityDescriptorSddl\ * OR *\-sd\ *))
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
any where (ScriptBlockText:"*Set-Service *" and ScriptBlockText:"*DCLCWPDTSD*") and (ScriptBlockText like~ ("*-SecurityDescriptorSddl *", "*-sd *"))Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Set-Service *" and ScriptBlockText like "*DCLCWPDTSD*" and (ScriptBlockText like "*-SecurityDescriptorSddl *" or ScriptBlockText like "*-sd *")
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
(ScriptBlockText:*Set\-Service\ * AND ScriptBlockText:*DCLCWPDTSD*) AND (ScriptBlockText:(*\-SecurityDescriptorSddl\ * OR *\-sd\ *))
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
Show query
any where (((ParentImage like~ ("*\\winlogon.exe", "*\\services.exe", "*\\lsass.exe", "*\\csrss.exe", "*\\smss.exe", "*\\wininit.exe", "*\\spoolsv.exe", "*\\searchindexer.exe")) and (User like~ ("*AUTHORI*", "*AUTORI*"))) and ((Image like~ ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe")) or (OriginalFileName like~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe")))) and (not (CommandLine:"* route *" and CommandLine:"* ADD *"))Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
Show query
from * metadata _id, _index, _version | where (ends_with(ParentImage, "\\winlogon.exe") or ends_with(ParentImage, "\\services.exe") or ends_with(ParentImage, "\\lsass.exe") or ends_with(ParentImage, "\\csrss.exe") or ends_with(ParentImage, "\\smss.exe") or ends_with(ParentImage, "\\wininit.exe") or ends_with(ParentImage, "\\spoolsv.exe") or ends_with(ParentImage, "\\searchindexer.exe")) and (User like "*AUTHORI*" or User like "*AUTORI*") and (ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or ends_with(Image, "\\cmd.exe") or OriginalFileName in ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe")) and not (CommandLine like "* route *" and CommandLine like "* ADD *")Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
Show query
(((ParentImage:(*\\winlogon.exe OR *\\services.exe OR *\\lsass.exe OR *\\csrss.exe OR *\\smss.exe OR *\\wininit.exe OR *\\spoolsv.exe OR *\\searchindexer.exe)) AND (User:(*AUTHORI* OR *AUTORI*))) AND ((Image:(*\\powershell.exe OR *\\pwsh.exe OR *\\cmd.exe)) OR (OriginalFileName:(PowerShell.EXE OR pwsh.dll OR Cmd.Exe)))) AND (NOT (CommandLine:*\ route\ * AND CommandLine:*\ ADD\ *))
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Show query
any where (properties.message like~ ("Add user", "Delete user")) and Status:"Success"Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Show query
from * metadata _id, _index, _version | where (properties.message in ("Add user", "Delete user")) and Status=="Success"Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Show query
(properties.message:(Add\ user OR Delete\ user)) AND Status:Success
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
Show query
any where (EventID:4738 and (not ((AllowedToDelegateTo like~ ("", "-")) or (?AllowedToDelegateTo == null)))) or ((EventID:5136 and AttributeLDAPDisplayName:"msDS-AllowedToDelegateTo") or (EventID:5136 and ObjectClass:"user" and AttributeLDAPDisplayName:"servicePrincipalName") or (EventID:5136 and AttributeLDAPDisplayName:"msDS-AllowedToActOnBehalfOfOtherIdentity"))Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
Show query
from * metadata _id, _index, _version | where EventID==4738 and not (AllowedToDelegateTo in ("", "-") or AllowedToDelegateTo is null) or EventID==5136 and AttributeLDAPDisplayName=="msDS-AllowedToDelegateTo" or EventID==5136 and ObjectClass=="user" and AttributeLDAPDisplayName=="servicePrincipalName" or EventID==5136 and AttributeLDAPDisplayName=="msDS-AllowedToActOnBehalfOfOtherIdentity"Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
Show query
(EventID:4738 AND (NOT ((AllowedToDelegateTo:("" OR \-)) OR (NOT _exists_:AllowedToDelegateTo)))) OR ((EventID:5136 AND AttributeLDAPDisplayName:msDS\-AllowedToDelegateTo) OR (EventID:5136 AND ObjectClass:user AND AttributeLDAPDisplayName:servicePrincipalName) OR (EventID:5136 AND AttributeLDAPDisplayName:msDS\-AllowedToActOnBehalfOfOtherIdentity))Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Show query
any where riskEventType:"riskyIPAddress"
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Show query
from * metadata _id, _index, _version | where riskEventType=="riskyIPAddress"
Showing 601-650 of 12,786