Home/Sigma rules
Sigma

Sigma detection rules

1,345 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,345
medium
Files With System DLL Name In Unsuspected Locations
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
status test author Nasreddine Bencherchali (Nextron Systems) id 13c02350-4177-4e45-ac17-cf7ca628ff5e
view Sigma YAML 
title: Files With System DLL Name In Unsuspected Locations
id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
status: test
description: |
    Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
    It is highly recommended to perform an initial baseline before using this rule in production.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
            - '\secur32.dll'
            - '\tdh.dll'
    filter_main_generic:
        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
        TargetFilename|contains:
            # - '\SystemRoot\System32\'
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Third party software might bundle specific versions of system DLLs.
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml
medium
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
status test author Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id d5866ddf-ce8f-4aea-b28e-d96485a20d3d
view Sigma YAML 
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
    It is highly recommended to perform an initial baseline before using this rule in production.
references:
    - Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '\AtBroker.exe'
            - '\audiodg.exe'
            - '\backgroundTaskHost.exe'
            - '\bcdedit.exe'
            - '\bitsadmin.exe'
            - '\cmdl32.exe'
            - '\cmstp.exe'
            - '\conhost.exe'
            - '\csrss.exe'
            - '\dasHost.exe'
            - '\dfrgui.exe'
            - '\dllhost.exe'
            - '\dwm.exe'
            - '\eventcreate.exe'
            - '\eventvwr.exe'
            - '\explorer.exe'
            - '\extrac32.exe'
            - '\fontdrvhost.exe'
            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
            - '\ipconfig.exe'
            - '\iscsicli.exe'
            - '\iscsicpl.exe'
            - '\logman.exe'
            - '\LogonUI.exe'
            - '\LsaIso.exe'
            - '\lsass.exe'
            - '\lsm.exe'
            - '\msiexec.exe'
            - '\msinfo32.exe'
            - '\mstsc.exe'
            - '\nbtstat.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regini.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\RuntimeBroker.exe'
            - '\schtasks.exe'
            - '\SearchFilterHost.exe'
            - '\SearchIndexer.exe'
            - '\SearchProtocolHost.exe'
            - '\SecurityHealthService.exe'
            - '\SecurityHealthSystray.exe'
            - '\services.exe'
            - '\ShellAppRuntime.exe'
            - '\sihost.exe'
            - '\smartscreen.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\SystemSettingsBroker.exe'
            - '\taskhost.exe'
            - '\taskhostw.exe'
            - '\Taskmgr.exe'
            - '\TiWorker.exe'
            - '\vssadmin.exe'
            - '\w32tm.exe'
            - '\WerFault.exe'
            - '\WerFaultSecure.exe'
            - '\wermgr.exe'
            - '\wevtutil.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
            - '\winrshost.exe'
            - '\WinRTNetMUAHostServer.exe'
            - '\wlanext.exe'
            - '\wlrmdr.exe'
            - '\WmiPrvSE.exe'
            - '\wslhost.exe'
            - '\WSReset.exe'
            - '\WUDFHost.exe'
            - '\WWAHost.exe'
    filter_main_generic:
        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
        TargetFilename|contains:
            # - '\SystemRoot\System32\'
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    filter_main_tiworker:
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
        TargetFilename|startswith: 'C:\Windows\Temp\'
    filter_main_svchost:
        Image|endswith:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|contains:
            - 'C:\Program Files\WindowsApps\'
            - 'C:\Program Files (x86)\WindowsApps\'
            - '\AppData\Local\Microsoft\WindowsApps\'
    filter_main_wuauclt:
        Image:
            - 'C:\Windows\System32\wuauclt.exe'
            - 'C:\Windows\SysWOW64\wuauclt.exe'
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
    filter_main_explorer:
        TargetFilename|endswith: 'C:\Windows\explorer.exe'
    filter_main_msiexec:
        # This filter handles system processes who are updated/installed using misexec.
        Image|endswith:
            - 'C:\WINDOWS\system32\msiexec.exe'
            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
        TargetFilename|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
    filter_main_healtray:
        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
        TargetFilename|endswith: '\SecurityHealthSystray.exe'
        Image|endswith: '\SecurityHealthSetup.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - System processes copied outside their default folders for testing purposes
    - Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
medium
Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
status test author Nasreddine Bencherchali (Nextron Systems) id 4931188c-178e-4ee7-a348-39e8a7a56821
view Sigma YAML 
title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
      type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\fltMC.exe'
        - OriginalFileName: 'fltMC.exe'
    selection_cli:
        CommandLine|contains: 'unload'
    filter_optional_avira:
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\Temp\'
        ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
        CommandLine|endswith:
            - 'unload rtp_filesystem_filter'
            - 'unload rtp_filter'
    filter_optional_manageengine:
        ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
        CommandLine|endswith: 'unload DFMFilter'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
medium
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
status test author Trent Liffick id 33339be3-148b-4e16-af56-ad16ec6c7e7b
view Sigma YAML 
title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
status: test
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
references:
    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
author: Trent Liffick
date: 2020-05-01
modified: 2024-01-15
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1202
    - attack.t1027.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            - '.lnk'
            - '.lnk"'
            - ".lnk'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Firewall Disabled via Netsh.EXE
Detects netsh commands that turns off the Windows firewall
status test author Fatih Sirin id 57c4bf16-227f-4394-8ec7-1b745ee061c3
view Sigma YAML 
title: Firewall Disabled via Netsh.EXE
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
status: test
description: Detects netsh commands that turns off the Windows firewall
references:
    - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
    - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
author: Fatih Sirin
date: 2019-11-01
modified: 2023-02-13
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - attack.s0108
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli_1:
        # Example: netsh firewall set opmode disable
        CommandLine|contains|all:
            - 'firewall'
            - 'set'
            - 'opmode'
            - 'disable'
    selection_cli_2:
        # Example: netsh advfirewall set currentprofile state off
        CommandLine|contains|all:
            - 'advfirewall'
            - 'set'
            - 'state'
            - 'off'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Legitimate administration activity
level: medium
medium
Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
status test author frack113 id 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
view Sigma YAML 
title: Firewall Rule Deleted Via Netsh.EXE
id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
status: test
description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
references:
    - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
author: frack113
date: 2022-08-14
modified: 2025-10-07
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'firewall'
            - 'delete '
    filter_optional_dropbox:
        ParentImage|endswith: '\Dropbox.exe'
        CommandLine|contains: 'name=Dropbox'
    filter_optional_avast:
        ParentImage|endswith: '\instup.exe'
        CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activity
    - Software installations and removal
level: medium
medium
Firewall Rule Update Via Netsh.EXE
Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
status test author X__Junior (Nextron Systems) id a70dcb37-3bee-453a-99df-d0c683151be6
view Sigma YAML 
title: Firewall Rule Update Via Netsh.EXE
id: a70dcb37-3bee-453a-99df-d0c683151be6
status: test
description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
references:
    - https://ss64.com/nt/netsh.html
author: X__Junior (Nextron Systems)
date: 2023-07-18
tags:
    - attack.defense-impairment
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
            # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
            - ' firewall '
            - ' set '
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
    - Software installations and removal
level: medium
medium
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id 3be619f4-d9ec-4ea8-a173-18fdd01996ab
view Sigma YAML 
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
    - https://blogs.blackberry.com/
    - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '/iptables'
            - '/xtables-legacy-multi'
            - '/iptables-legacy-multi'
            - '/ip6tables'
            - '/ip6tables-legacy-multi'
    selection_params:
        CommandLine|contains:
            - '-F'
            - '-Z'
            - '-X'
    selection_ufw:
        CommandLine|contains:
            - 'ufw-logging-deny'
            - 'ufw-logging-allow'
            - 'ufw6-logging-deny'
            - 'ufw6-logging-allow'
            # - 'ufw-reject-output'
            # - 'ufw-track-inputt'
    condition: all of selection_*
falsepositives:
    - Network administrators
level: medium
medium
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
view Sigma YAML 
title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
      type: similar
    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
      type: similar
    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Forfiles Command Execution
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
status test author Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
view Sigma YAML 
title: Forfiles Command Execution
id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
related:
    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
      type: obsolete
    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
      type: obsolete
status: test
description: |
    Detects the execution of "forfiles" with the "/c" flag.
    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
    Can be used to bypass application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2024-03-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\forfiles.exe'
        - OriginalFileName: 'forfiles.exe'
    selection_cli:
        CommandLine|contains|windash: ' -c '
    condition: all of selection_*
falsepositives:
    - Legitimate use via a batch script or by an administrator.
level: medium
medium
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 5c8d7b41-3812-432f-a0bb-4cfb7c31827e
view Sigma YAML 
title: FortiGate - Firewall Address Object Added
id: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e
status: experimental
description: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'firewall.address'
    condition: selection
falsepositives:
    - An address could be added or deleted for legitimate purposes.
level: medium
medium
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id cd0a4943-0edd-42cf-b50c-06f77a10d4c1
view Sigma YAML 
title: FortiGate - New Administrator Account Created
id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
status: experimental
description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'system.admin'
    condition: selection
falsepositives:
    - An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
level: medium
medium
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id f24ab7a8-f09a-4319-82c1-915586aa642b
view Sigma YAML 
title: FortiGate - New Firewall Policy Added
id: f24ab7a8-f09a-4319-82c1-915586aa642b
status: experimental
description: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'firewall.policy'
    condition: selection
falsepositives:
    - A firewall policy can be added for legitimate purposes.
level: medium
medium
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id ddbbe845-1d74-43a8-8231-2156d180234d
view Sigma YAML 
title: FortiGate - New Local User Created
id: ddbbe845-1d74-43a8-8231-2156d180234d
status: experimental
description: |
    Detects the creation of a new local user on a Fortinet FortiGate Firewall.
    The new local user could be used for VPN connections.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'user.local'
    condition: selection
falsepositives:
    - A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
level: medium
medium
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 2bfb6216-0c31-4d20-8501-2629b29a3fa2
view Sigma YAML 
title: FortiGate - New VPN SSL Web Portal Added
id: 2bfb6216-0c31-4d20-8501-2629b29a3fa2
status: experimental
description: |
    Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
    This behavior was observed in pair with modification of VPN SSL settings.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'vpn.ssl.web.portal'
    condition: selection
falsepositives:
    - A VPN SSL Web Portal can be added for legitimate purposes.
level: medium
medium
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 69ffc84e-8b1a-4024-8351-e018f66b8275
view Sigma YAML 
title: FortiGate - User Group Modified
id: 69ffc84e-8b1a-4024-8351-e018f66b8275
status: experimental
description: |
    Detects the modification of a user group on a Fortinet FortiGate Firewall.
    The group could be used to grant VPN access to a network.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    # - attack.t1098.007
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Edit'
        cfgpath: 'user.group'
    condition: selection
falsepositives:
    - A group can be modified for legitimate purposes.
level: medium
medium
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
status experimental author Marco Pedrinazzi @pedrinazziM (InTheCyber) id 8b5dacf2-aeb7-459d-b133-678eb696d410
view Sigma YAML 
title: FortiGate - VPN SSL Settings Modified
id: 8b5dacf2-aeb7-459d-b133-678eb696d410
status: experimental
description: |
    Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
    This behavior was observed in pair with the addition of a VPN SSL Web Portal.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Edit'
        cfgpath: 'vpn.ssl.settings'
    condition: selection
falsepositives:
    - VPN SSL settings can be changed for legitimate purposes.
level: medium
medium
Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
status test author oscd.community, Dmitry Uchakin id fb3722e4-1a06-46b6-b772-253e2e7db933
view Sigma YAML 
title: Function Call From Undocumented COM Interface EditionUpgradeManager
id: fb3722e4-1a06-46b6-b772-253e2e7db933
status: test
description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
references:
    - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
    - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2023-11-30
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|contains: 'editionupgrademanagerobj.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
status test author Bryan Lim id 32438676-1dba-4ac7-bf69-b86cba995e05
view Sigma YAML 
title: GCP Access Policy Deleted
id: 32438676-1dba-4ac7-bf69-b86cba995e05
status: test
description: |
    Detects when an access policy that is applied to a GCP cloud resource is deleted.
    An adversary would be able to remove access policies to gain access to a GCP cloud resource.
references:
    - https://cloud.google.com/access-context-manager/docs/audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
author: Bryan Lim
date: 2024-01-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        data.protoPayload.authorizationInfo.permission:
            - 'accesscontextmanager.accessPolicies.delete'
            - 'accesscontextmanager.accessPolicies.accessLevels.delete'
            - 'accesscontextmanager.accessPolicies.accessZones.delete'
            - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'
        data.protoPayload.authorizationInfo.granted: 'true'
        data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'
    condition: selection
falsepositives:
    - Legitimate administrative activities
level: medium
medium
GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
status test author Bryan Lim id 76737c19-66ee-4c07-b65a-a03301d1573d
view Sigma YAML 
title: GCP Break-glass Container Workload Deployed
id: 76737c19-66ee-4c07-b65a-a03301d1573d
status: test
description: |
    Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
references:
    - https://cloud.google.com/binary-authorization
author: Bryan Lim
date: 2024-01-12
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        data.protoPayload.resource.type: 'k8s_cluster'
        data.protoPayload.logName:
            - 'cloudaudit.googleapis.com/activity'
            - 'cloudaudit.googleapis.com%2Factivity'
        data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
    keywords:
        - 'image-policy.k8s.io/break-glass'
    condition: selection and keywords
falsepositives:
    - Unknown
level: medium
medium
GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
status test author Nasreddine Bencherchali (Nextron Systems) id f92a6f1e-a512-4a15-9735-da09e78d7273
view Sigma YAML 
title: GatherNetworkInfo.VBS Reconnaissance Script Output
id: f92a6f1e-a512-4a15-9735-da09e78d7273
related:
    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
      type: similar
    - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
      type: similar
status: test
description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
references:
    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.discovery
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\config'
        TargetFilename|endswith:
            - '\Hotfixinfo.txt'
            - '\netiostate.txt'
            - '\sysportslog.txt'
            - '\VmSwitchLog.evtx'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Get-ADUser Enumeration Using UserAccountControl Flags
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
status test author frack113 id 96c982fe-3d08-4df4-bed2-eb14e02f21c8
view Sigma YAML 
title: Get-ADUser Enumeration Using UserAccountControl Flags
id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
status: test
description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
    - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        # 4194304 DONT_REQ_PREAUTH
        ScriptBlockText|contains|all:
            - 'Get-ADUser'
            - '-Filter'
            - 'useraccountcontrol'
            - '-band'
            - '4194304'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium
medium
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
status test author Muhammad Faisal (@faisalusuf) id 16a71777-0b2e-4db7-9888-9d59cb75200b
view Sigma YAML 
title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-19
modified: 2026-03-09
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#codespaces
tags:
    - attack.impact
    - attack.collection
    - attack.t1213.003
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'codespaces.destroy'
            - 'environment.delete'
            - 'project.delete'
            - 'repo.destroy'
    condition: selection
falsepositives:
    - Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
medium
Github Fork Private Repositories Setting Enabled/Cleared
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
status test author Romain Gaillard (@romain-gaillard) id 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
view Sigma YAML 
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1020
    - attack.t1537
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: medium
medium
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
status test author Muhammad Faisal (@faisalusuf) id eaa9ac35-1730-441f-9587-25767bde99d7
view Sigma YAML 
title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.collection
    - attack.t1098.001
    - attack.t1098.003
    - attack.t1213.003
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_outside_collaborator'
            - 'project.update_user_permission'
    condition: selection
falsepositives:
    - Validate the actor if permitted to access the repo.
    - Validate the Multifactor Authentication changes.
level: medium
medium
Github Repository/Organization Transferred
Detects when a repository or an organization is being transferred to another location.
status test author Romain Gaillard (@romain-gaillard) id 04ad83ef-1a37-4c10-b57a-81092164bf33
view Sigma YAML 
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
    - https://docs.github.com/en/migrations
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1020
    - attack.t1537
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
            - 'org.transfer' # An organization was transferred between enterprise accounts.
            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: medium
medium
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
status test author Romain Gaillard (@romain-gaillard) id 2f575940-d85e-4ddc-af13-17dad6f1a0ef
view Sigma YAML 
title: Github SSH Certificate Configuration Changed
id: 2f575940-d85e-4ddc-af13-17dad6f1a0ef
status: test
description: Detects when changes are made to the SSH certificate configuration of the organization.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.
            - 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: medium
medium
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
status test author Daniel Koifman (KoifSec) id 5bac7a56-da88-4c27-922e-c81e113b20cb
view Sigma YAML 
title: Github Self-Hosted Runner Execution
id: 5bac7a56-da88-4c27-922e-c81e113b20cb
status: test
description: |
    Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
    Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
    It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
references:
    - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
    - https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
author: Daniel Koifman (KoifSec)
date: 2025-11-29
tags:
    - attack.command-and-control
    - attack.t1102.002
    - attack.t1071
logsource:
    category: process_creation
    product: windows
detection:
    selection_worker_img:  # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
        - Image|endswith: '\Runner.Worker.exe'
        - OriginalFileName: 'Runner.Worker.dll'
    selection_worker_cli:
        CommandLine|contains: 'spawnclient'
    selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe  configure --url https://github.com/ABC/ABC --token 123123
        - Image|endswith: '\Runner.Listener.exe'
        - OriginalFileName: 'Runner.Listener.dll'
    selection_listener_cli:
        CommandLine|contains:
            - 'run'
            - 'configure'
    condition: all of selection_worker_* or all of selection_listener_*
falsepositives:
    - Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
    - Authorized runner deployments by DevOps/Platform teams following change management
    - Scheduled runner updates or reconfigurations on existing build agents
    - Self-hosted runners that follow expected/known naming patterns
    - Installation via expected/known configuration management tools (reflected mostly as parent process name)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml
medium
GoToAssist Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 5d756aee-ad3e-4306-ad95-cb1abec48de2
view Sigma YAML 
title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Google Cloud DNS Zone Modified or Deleted
Identifies when a DNS Zone is modified or deleted in Google Cloud.
status test author Austin Songer @austinsonger id 28268a8f-191f-4c17-85b2-f5aa4fa829c3
view Sigma YAML 
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
status: test
description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
references:
    - https://cloud.google.com/dns/docs/reference/v1/managedZones
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - Dns.ManagedZones.Delete
            - Dns.ManagedZones.Update
            - Dns.ManagedZones.Patch
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
status test author Austin Songer @austinsonger id fe513c69-734c-4d4a-8548-ac5f609be82b
view Sigma YAML 
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
status: test
description: Detects  when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
references:
    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
    - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - v*.Compute.Firewalls.Delete
            - v*.Compute.Firewalls.Patch
            - v*.Compute.Firewalls.Update
            - v*.Compute.Firewalls.Insert
    condition: selection
falsepositives:
    - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
    - Exceptions can be added to this rule to filter expected behavior.
level: medium
medium
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
status test author Austin Songer @austinsonger id 6ad91e31-53df-4826-bd27-0166171c8040
view Sigma YAML 
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
  Identifies when an admission controller is executed in GCP Kubernetes.
  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
    - https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
        gcp.audit.method_name|contains:
            - '.mutatingwebhookconfigurations.'
            - '.validatingwebhookconfigurations.'
        gcp.audit.method_name|endswith:
            - 'create'
            - 'patch'
            - 'replace'
    condition: selection
falsepositives:
    - Google Cloud Kubernetes Admission Controller may be done by a system administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Kubernetes CronJob
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
status test author Austin Songer @austinsonger id cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
view Sigma YAML 
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
    Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
    Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
    An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
    - https://cloud.google.com/kubernetes-engine/docs
    - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
    - https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - io.k8s.api.batch.v*.Job
            - io.k8s.api.batch.v*.CronJob
    condition: selection
falsepositives:
    - Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
status test author Austin Songer @austinsonger id 0322d9f2-289a-47c2-b5e1-b63c90901a3e
view Sigma YAML 
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
    - https://github.com/elastic/detection-rules/pull/1267
    - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
    - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
    - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
    - attack.credential-access
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - io.k8s.authorization.rbac.v*.clusterrolebindings.create
            - io.k8s.authorization.rbac.v*.rolebindings.create
            - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
            - io.k8s.authorization.rbac.v*.rolebindings.patch
            - io.k8s.authorization.rbac.v*.clusterrolebindings.update
            - io.k8s.authorization.rbac.v*.rolebindings.update
            - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
            - io.k8s.authorization.rbac.v*.rolebindings.delete
    condition: selection
falsepositives:
    - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
status test author Austin Songer @austinsonger id 2f0bae2d-bf20-4465-be86-1311addebaa3
view Sigma YAML 
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
    - attack.credential-access
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - io.k8s.core.v*.secrets.create
            - io.k8s.core.v*.secrets.update
            - io.k8s.core.v*.secrets.patch
            - io.k8s.core.v*.secrets.delete
    condition: selection
falsepositives:
    - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Re-identifies Sensitive Information
Identifies when sensitive information is re-identified in google Cloud.
status test author Austin Songer @austinsonger id 234f9f48-904b-4736-a34c-55d23919e4b7
view Sigma YAML 
title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
status: test
description: Identifies when sensitive information is re-identified in google Cloud.
references:
    - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1565
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name: projects.content.reidentify
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
status test author Austin Songer @austinsonger id f346bbd5-2c4e-4789-a221-72de7685090d
view Sigma YAML 
title: Google Cloud SQL Database Modified or Deleted
id: f346bbd5-2c4e-4789-a221-72de7685090d
status: test
description: Detect when a Cloud SQL DB has been modified or deleted.
references:
    - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
author: Austin Songer @austinsonger
date: 2021-10-15
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - cloudsql.instances.create
            - cloudsql.instances.delete
            - cloudsql.users.update
            - cloudsql.users.delete
    condition: selection
falsepositives:
    - SQL Database being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
status test author Austin Songer @austinsonger id 13f81a90-a69c-4fab-8f07-b5bb55416a9f
view Sigma YAML 
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
    - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name|endswith:
            - .serviceAccounts.disable
            - .serviceAccounts.delete
    condition: selection
falsepositives:
    - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
status test author Austin Songer @austinsonger id 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
view Sigma YAML 
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
status: test
description: Identifies when a service account is modified in Google Cloud.
references:
    - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name|endswith:
            - .serviceAccounts.patch
            - .serviceAccounts.create
            - .serviceAccounts.update
            - .serviceAccounts.enable
            - .serviceAccounts.undelete
    condition: selection
falsepositives:
    - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud Storage Buckets Modified or Deleted
Detects when storage bucket is modified or deleted in Google Cloud.
status test author Austin Songer @austinsonger id 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
view Sigma YAML 
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
references:
    - https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - storage.buckets.delete
            - storage.buckets.insert
            - storage.buckets.update
            - storage.buckets.patch
    condition: selection
falsepositives:
    - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
status test author Austin Songer @austinsonger id 99980a85-3a61-43d3-ac0f-b68d6b4797b1
view Sigma YAML 
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
status: test
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
references:
    - https://any-api.com/googleapis_com/compute/docs/vpnTunnels
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - compute.vpnTunnels.insert
            - compute.vpnTunnels.delete
    condition: selection
falsepositives:
    - VPN Tunnel being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
status test author Austin Songer @austinsonger id 980a7598-1e7f-4962-9372-2d754c930d0e
view Sigma YAML 
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
status: test
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
references:
    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
    - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1074
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - v*.Compute.PacketMirrorings.Get
            - v*.Compute.PacketMirrorings.Delete
            - v*.Compute.PacketMirrorings.Insert
            - v*.Compute.PacketMirrorings.Patch
            - v*.Compute.PacketMirrorings.List
            - v*.Compute.PacketMirrorings.aggregatedList
    condition: selection
falsepositives:
    - Full Network Packet Capture may be done by a system or network administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
status test author Bryan Lim id 22f2fb54-5312-435d-852f-7c74f81684ca
view Sigma YAML 
title: Google Workspace Application Access Level Modified
id: 22f2fb54-5312-435d-852f-7c74f81684ca
status: test
description: |
    Detects when an access level is changed for a Google workspace application.
    An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
    An adversary would be able to remove access levels to gain easier access to Google workspace resources.
references:
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
    - https://support.google.com/a/answer/9261439
author: Bryan Lim
date: 2024-01-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: 'admin.googleapis.com'
        eventName: 'CHANGE_APPLICATION_SETTING'
        setting_name|startswith: 'ContextAwareAccess'
    condition: selection
falsepositives:
    - Legitimate administrative activities changing the access levels for an application
level: medium
medium
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
status test author Austin Songer id ee2803f0-71c8-4831-b48b-a1fc57601ee4
view Sigma YAML 
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
status: test
description: Detects when an an application is removed from Google Workspace.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
    - attack.impact
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: admin.googleapis.com
        eventName:
            - REMOVE_APPLICATION
            - REMOVE_APPLICATION_FROM_WHITELIST
    condition: selection
falsepositives:
    - Application being removed may be performed by a System Administrator.
level: medium
medium
Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
status experimental author Tom Kluter id eafe6f2b-cfec-4612-aec2-49563c33a087
view Sigma YAML 
title: Google Workspace Government Attack Warning
id: eafe6f2b-cfec-4612-aec2-49563c33a087
status: experimental
description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.impact
    - attack.stealth
    - attack.t1078
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.serviceName: 'login.googleapis.com'
        protoPayload.metadata.event.eventName: 'gov_attack_warning'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
status test author Austin Songer id 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
view Sigma YAML 
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
status: test
description: Detects when an API access service account is granted domain authority.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
author: Austin Songer
date: 2021-08-23
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: admin.googleapis.com
        eventName: AUTHORIZE_API_CLIENT_ACCESS
    condition: selection
falsepositives:
    - Unknown

level: medium
medium
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
status test author Austin Songer id 780601d1-6376-4f2a-884e-b8d45599f78c
view Sigma YAML 
title: Google Workspace MFA Disabled
id: 780601d1-6376-4f2a-884e-b8d45599f78c
status: test
description: Detects when multi-factor authentication (MFA) is disabled.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
author: Austin Songer
date: 2021-08-26
modified: 2023-10-11
tags:
    - attack.impact
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection_base:
        eventService: admin.googleapis.com
        eventName:
            - ENFORCE_STRONG_AUTHENTICATION
            - ALLOW_STRONG_AUTHENTICATION
    selection_eventValue:
        new_value: 'false'
    condition: all of selection*
falsepositives:
    - MFA may be disabled and performed by a system administrator.
level: medium
medium
Google Workspace Out Of Domain Email Forwarding
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
status experimental author Tom kluter id 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
view Sigma YAML 
title: Google Workspace Out Of Domain Email Forwarding
id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
status: experimental
description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
references:
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: Tom kluter
date: 2026-04-28
tags:
    - attack.t1114.003
    - attack.collection
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.serviceName: 'login.googleapis.com'
        protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
    condition: selection
falsepositives:
    - Legitimate forwarding
level: medium
medium
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
status test author Austin Songer id 6aef64e3-60c6-4782-8db3-8448759c714e
view Sigma YAML 
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
status: test
description: Detects when an a role is modified or deleted in Google Workspace.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
    - attack.impact
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: admin.googleapis.com
        eventName:
            - DELETE_ROLE
            - RENAME_ROLE
            - UPDATE_ROLE
    condition: selection
falsepositives:
    - Unknown

level: medium
medium
Google Workspace Role Privilege Deleted
Detects when an a role privilege is deleted in Google Workspace.
status test author Austin Songer id bf638ef7-4d2d-44bb-a1dc-a238252e6267
view Sigma YAML 
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
status: test
description: Detects when an a role privilege is deleted in Google Workspace.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
author: Austin Songer
date: 2021-08-24
modified: 2023-10-11
tags:
    - attack.impact
logsource:
    product: gcp
    service: google_workspace.admin
detection:
    selection:
        eventService: admin.googleapis.com
        eventName: REMOVE_PRIVILEGE
    condition: selection
falsepositives:
    - Unknown

level: medium
Showing 351-400 of 1,345
Prev 8 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin