Home/Sigma rules
Sigma

Sigma detection rules

102 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 102
critical
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
status test author elhoim id 39698b3f-da92-4bc6-bfb5-645a98386e45
view Sigma YAML 
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
    - https://twitter.com/malmoeb/status/1511760068743766026
    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
    - attack.initial-access
    - cve.2021-42278
    - cve.2021-42287
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    service: security
    product: windows
detection:
    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
    selection1:
        SamAccountName|startswith: 'SAMTHEADMIN-'
        SamAccountName|endswith: '$'
    selection2:
        TargetUserName|startswith: 'SAMTHEADMIN-'
        TargetUserName|endswith: '$'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
high
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
status test author daniel.bohannon@permiso.io (@danielhbohannon) id db014773-b1d3-46bd-ba26-133337c0ffee
view Sigma YAML 
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.execution
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1059.009
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'GetLoginProfile'
            - 'CreateLoginProfile'
        userAgent|contains: 'S3 Browser'
    condition: selection
falsepositives:
    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
high
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
status test author daniel.bohannon@permiso.io (@danielhbohannon) id db014773-7375-4f4e-b83b-133337c0ffee
view Sigma YAML 
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.009
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: iam.amazonaws.com
        eventName: PutUserPolicy
        userAgent|contains: 'S3 Browser'
        requestParameters|contains|all:
            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
            - '"s3:GetObject"'
            - '"Allow"'
    condition: selection
falsepositives:
    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
high
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
status test author daniel.bohannon@permiso.io (@danielhbohannon) id db014773-d9d9-4792-91e5-133337c0ffee
view Sigma YAML 
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1059.009
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'CreateUser'
            - 'CreateAccessKey'
        userAgent|contains: 'S3 Browser'
    condition: selection
falsepositives:
    - Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
high
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
status test author Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton id 6f583da0-3a90-4566-a4ed-83c09fe18bbf
view Sigma YAML 
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Add user
            - Delete user
        Status: Success
    condition: selection
falsepositives:
    - Legit administrative action
level: high
high
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id be4d9c86-d702-4030-b52e-c7859110e5e8
view Sigma YAML 
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'riskyIPAddress'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 1b45b0d1-773f-4f23-aedc-814b759563b1
view Sigma YAML 
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
high
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 0055ad1f-be85-4798-83cf-a6da17c993b3
view Sigma YAML 
title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
    Detects when a configuration change is made to an applications URI.
    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1528
    - attack.t1078.004
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update Application Sucess- Property Name AppAddress
    condition: selection
falsepositives:
    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high
high
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 1a41023f-1e70-4026-921a-4d9341a9038e
view Sigma YAML 
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'unlikelyTravel'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
view Sigma YAML 
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'investigationsThreatIntelligence'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
status experimental author Josh Nickels, Marius Rothenbücher id 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
view Sigma YAML 
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
    Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
    - https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation: 'UserLoggedIn'
        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
        ResultStatus: 'Success'
        RequestType: 'Cmsi:Cmsi'
    filter_main_bjectid:
        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
status test author Austin Songer @austinsonger id 09438caa-07b1-4870-8405-1dbafe3dad95
view Sigma YAML 
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high
high
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
status test author Austin Songer @austinsonger id ca9bf243-465e-494a-9e54-bf9fc239057d
view Sigma YAML 
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: 'Administrative'
        OperationName: 'Assigns the caller to user access admin'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high
high
Changes To PIM Settings
Detects when changes are made to PIM roles
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' id db6c06c4-bf3b-421c-aa88-15672b88c743
view Sigma YAML 
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update role setting in PIM
    condition: selection
falsepositives:
    - Legit administrative PIM setting configuration changes
level: high
high
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
status test author Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) id 78d5cab4-557e-454f-9fb9-a222bd0d5edc
view Sigma YAML 
title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
    - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
      type: derived
status: test
description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
references:
    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1133
    - attack.t1078
    - attack.t1110
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate or intentional inbound connections from public IP addresses on the SMB port.
level: high
high
Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id b2572bf9-e20a-4594-b528-40bde666525a
view Sigma YAML 
title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'impossibleTravel'
    condition: selection
falsepositives:
    - Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high
high
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
view Sigma YAML 
title: Invalid PIM License
id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
status: test
description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'invalidLicenseAlertIncident'
    condition: selection
falsepositives:
    - Investigate if licenses have expired.
level: high
high
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
status test author jamesc-grafana id 352a918a-34d8-4882-8470-44830c507aa3
view Sigma YAML 
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
    Detects when an instance identity has taken an action that isn't inside SSM.
    This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1078.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.arn|re: '.+:assumed-role/aws:.+'
    filter_main_generic:
        - eventSource: 'ssm.amazonaws.com'
        - eventName: 'RegisterManagedInstance'
        - sourceIPAddress: 'AWS Internal'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
high
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id adf9f4d2-559e-4f5c-95be-c28dff0b1476
view Sigma YAML 
title: New Country
id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
status: test
description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'newCountry'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
status test author kelnage id a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
view Sigma YAML 
title: Okta New Admin Console Behaviours
id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
status: test
description: Detects when Okta identifies new activity in the Admin Console.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: okta
    service: okta
detection:
    selection_event:
        eventType: 'policy.evaluate_sign_on'
        target.displayName: 'Okta Admin Console'
    selection_positive:
        - debugContext.debugData.behaviors|contains: 'POSITIVE'
        - debugContext.debugData.logOnlySecurityData|contains: 'POSITIVE'
    condition: all of selection_*
falsepositives:
    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
level: high
high
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id ff7139bc-fdb1-4437-92f2-6afefe8884cb
view Sigma YAML 
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4002
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions id cd55f721-5623-4663-bd9b-5229cab5237d
view Sigma YAML 
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id 512cff7a-683a-43ad-afe0-dd398e872f36
view Sigma YAML 
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1133
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 6001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' id aeaef14c-e5bf-4690-a9c8-835caad458bd
view Sigma YAML 
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Disable PIM Alert
    condition: selection
falsepositives:
    - Administrator disabling PIM alerts as an active choice.
level: high
high
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' id 039a7469-0296-4450-84c0-f6966b16dc6d
view Sigma YAML 
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Request Approved/Denied
    condition: selection
falsepositives:
    - Actual admin using PIM.
level: high
high
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
status test author Harjot Singh, '@cyb3rjy0t' id 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
view Sigma YAML 
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
    - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
    - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        userAgent|contains:
            - 'BAV2ROPC'
            - 'CBAinPROD'
            - 'CBAinTAR'
    condition: selection
falsepositives:
    - Known Legacy Accounts
level: high
high
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 645fd80d-6c07-435b-9e06-7bc1b5656cba
view Sigma YAML 
title: Roles Activated Too Frequently
id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
status: test
description: Identifies when the same privilege role has multiple activations by the same user.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'sequentialActivationRenewalsAlertIncident'
    condition: selection
falsepositives:
    - Investigate where if active time period for a role is set too short.
level: high
high
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 94a66f46-5b64-46ce-80b2-75dcbe627cc0
view Sigma YAML 
title: Roles Activation Doesn't Require MFA
id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
status: test
description: Identifies when a privilege role can be activated without performing mfa.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'noMfaOnRoleActivationAlertIncident'
    condition: selection
falsepositives:
    - Investigate if user is performing MFA at sign-in.
level: high
high
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 8c6ec464-4ae4-43ac-936a-291da66ed13d
view Sigma YAML 
title: Roles Are Not Being Used
id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
status: test
description: Identifies when a user has been assigned a privilege role and are not using that role.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'redundantAssignmentAlertIncident'
    condition: selection
falsepositives:
    - Investigate if potential generic account that cannot be removed.
level: high
high
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
view Sigma YAML 
title: Roles Assigned Outside PIM
id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
status: test
description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
    condition: selection
falsepositives:
    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
level: high
high
Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
status test author Yochana Henderson, '@Yochana-H' id b4a6d707-9430-4f5f-af68-0337f52d5c42
view Sigma YAML 
title: Sign-in Failure Due to Conditional Access Requirements Not Met
id: b4a6d707-9430-4f5f-af68-0337f52d5c42
status: test
description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1110
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ResultType: 53003
        Resultdescription: Blocked by Conditional Access
    condition: selection
falsepositives:
    - Service Account misconfigured
    - Misconfigured Systems
    - Vulnerability Scanners
level: high
high
Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
status test author Michael Epping, '@mepples21' id 4f77e1d7-3982-4ee0-8489-abf2d6b75284
view Sigma YAML 
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
status: test
description: Monitor and alert for sign-ins where the device was non-compliant.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        DeviceDetail.isCompliant: 'false'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id e402c26a-267a-45bd-9615-bd9ceda6da85
view Sigma YAML 
title: Stale Accounts In A Privileged Role
id: e402c26a-267a-45bd-9615-bd9ceda6da85
status: test
description: Identifies when an account hasn't signed in during the past n number of days.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'staleSignInAlertIncident'
    condition: selection
falsepositives:
    - Investigate if potential generic account that cannot be removed.
level: high
high
Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 944f6adb-7a99-4c69-80c1-b712579e93e6
view Sigma YAML 
title: Suspicious Browser Activity
id: 944f6adb-7a99-4c69-80c1-b712579e93e6
status: test
description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'suspiciousBrowser'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
status test author Harjot Singh, '@cyb3rjy0t' id 572b12d4-9062-11ed-a1eb-0242ac120002
view Sigma YAML 
title: Suspicious SignIns From A Non Registered Device
id: 572b12d4-9062-11ed-a1eb-0242ac120002
status: test
description: Detects risky authentication from a non AD registered device without MFA being required.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-10
modified: 2025-07-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    selection_main:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
        RiskState: 'atRisk'
    selection_empty1:
        DeviceDetail.trusttype: ''
    selection_empty2:
        DeviceDetail.trusttype: null
    condition: selection_main and 1 of selection_empty*
falsepositives:
    - Unknown
level: high
high
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' id fa84aaf5-8142-43cd-9ec2-78cfebf878ce
view Sigma YAML 
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Admin registered security info
        Status: Admin registered temporary access pass method for user
    condition: selection
falsepositives:
    - Administrator adding a legitimate temporary access pass
level: high
high
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 7bbc309f-e2b1-4eb1-8369-131a367d67d3
view Sigma YAML 
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
    condition: selection
falsepositives:
    - Investigate if threshold setting in PIM is too low.
level: high
high
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 128faeef-79dd-44ca-b43c-a9e236a60f49
view Sigma YAML 
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'unfamiliarFeatures'
    condition: selection
falsepositives:
    - User changing to a new device, location, browser, etc.
level: high
high
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
status test author Yochana Henderson, '@Yochana-H' id 60f6535a-760f-42a9-be3f-c9a0a025906e
view Sigma YAML 
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ActivityDetails: Sign-ins
        ClientApp:
            - Other client
            - IMAP
            - POP3
            - MAPI
            - SMTP
            - Exchange ActiveSync
            - Exchange Web Services
        Username: 'UPN'
    condition: selection
falsepositives:
    - User has been put in acception group so they can use legacy authentication
level: high
high
User Added To Privilege Role
Detects when a user is added to a privileged role.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' id 49a268a4-72f4-4e38-8a7b-885be690c5b5
view Sigma YAML 
title: User Added To Privilege Role
id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
status: test
description: Detects when a user is added to a privileged role.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-06
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Add eligible member (permanent)
            - Add eligible member (eligible)
    condition: selection
falsepositives:
    - Legtimate administrator actions of adding members from a role
level: high
high
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
status test author Michael Epping, '@mepples21' id 11c767ae-500b-423b-bae3-b234450736ed
view Sigma YAML 
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: test
description: Monitor and alert for users added to device admin roles.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: RoleManagement
        OperationName|contains|all:
            - 'Add'
            - 'member to role'
        TargetResources|contains:
            - '7698a772-787b-4ac8-901f-60d6b08affd2'
            - '62e90394-69f5-4237-9190-012177145e10'
    condition: selection
falsepositives:
    - Unknown
level: high
medium
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
status experimental author Ivan Saakov id 92f84194-8d9a-4ee0-8699-c30bfac59780
view Sigma YAML 
title: AWS Key Pair Import Activity
id: 92f84194-8d9a-4ee0-8699-c30bfac59780
status: experimental
description: |
    Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'ImportKeyPair'
    condition: selection
falsepositives:
    - Legitimate administrative actions by authorized users importing keys for valid purposes.
    - Automated processes for infrastructure setup may trigger this alert.
    - Verify the user identity, user agent, and source IP address to ensure they are expected.
level: medium
medium
AWS Root Credentials
Detects AWS root account usage
status test author vitaliy0x1 id 8ad1600d-e9dc-4251-b0ee-a65268f29add
view Sigma YAML 
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: test
description: Detects AWS root account usage
references:
    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_usertype:
        userIdentity.type: Root
    selection_eventtype:
        eventType: AwsServiceEvent
    condition: selection_usertype and not selection_eventtype
falsepositives:
    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
medium
AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
status experimental author Ivan Saakov id ccd6a6c8-bb4e-4a91-9d2a-07e632819374
view Sigma YAML 
title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.stealth
    - attack.t1078.004
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.t1531
    - attack.impact
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'DeleteSAMLProvider'
        status: 'success'
    condition: selection
falsepositives:
    - Automated processes using tools like Terraform may trigger this alert.
    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium
medium
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
status experimental author Thuya@Hacktilizer, Ivan Saakov id 77caf516-34e5-4df9-b4db-20744fea0a60
view Sigma YAML 
title: AWS Successful Console Login Without MFA
id: 77caf516-34e5-4df9-b4db-20744fea0a60
status: experimental
description: |
    Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
    This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
references:
    - https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Thuya@Hacktilizer, Ivan Saakov
date: 2025-10-18
modified: 2025-10-21
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventName: 'ConsoleLogin'
        additionalEventData.MFAUsed: 'NO'
        responseElements.ConsoleLogin: 'Success'
    condition: selection
falsepositives:
    - Unlikely
level: medium
medium
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
status test author Austin Songer id f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
view Sigma YAML 
title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021-09-22
modified: 2022-12-18
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_sts:
        eventSource: 'sts.amazonaws.com'
        eventName: 'AssumeRoleWithSAML'
    selection_iam:
        eventSource: 'iam.amazonaws.com'
        eventName: 'UpdateSAMLProvider'
    condition: 1 of selection_*
falsepositives:
    - Automated processes that uses Terraform may lead to false positives.
    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
status test author Yochana Henderson, '@Yochana-H' id 4afac85c-224a-4dd7-b1af-8da40e1c60bd
view Sigma YAML 
title: Account Disabled or Blocked for Sign in Attempts
id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd
status: test
description: Detects when an account is disabled or blocked for sign in but tried to log in
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ResultType: 50057
        ResultDescription: Failure
    condition: selection
falsepositives:
    - Account disabled or blocked in error
    - Automation account has been blocked or disabled
level: medium
medium
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
status test author Florian Roth (Nextron Systems) id 9eb99343-d336-4020-a3cd-67f3819e68ee
view Sigma YAML 
title: Account Tampering - Suspicious Failed Logon Reasons
id: 9eb99343-d336-4020-a3cd-67f3819e68ee
status: test
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
    - https://twitter.com/SBousseaden/status/1101431884540710913
author: Florian Roth (Nextron Systems)
date: 2017-02-19
modified: 2025-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: windows
    service: security
detection:
    selection_eid:
        EventID:
            - 4625
            - 4776
    selection_status:
        - Status:
              - '0xC0000072'  # User logon to account disabled by administrator
              - '0xC000006F'  # User logon outside authorized hours
              - '0xC0000070'  # User logon from unauthorized workstation
              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
        - SubStatus:
              - '0xC0000072'  # User logon to account disabled by administrator
              - '0xC000006F'  # User logon outside authorized hours
              - '0xC0000070'  # User logon from unauthorized workstation
              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
    filter:
        SubjectUserSid: 'S-1-0-0'
    condition: all of selection_* and not filter
falsepositives:
    - User using a disabled account
level: medium
medium
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 248649b7-d64f-46f0-9fb2-a52774166fb5
view Sigma YAML 
title: Application Using Device Code Authentication Flow
id: 248649b7-d64f-46f0-9fb2-a52774166fb5
status: test
description: |
    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
    If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
    This can be a misconfigured application or potentially something malicious.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        properties.message: Device Code
    condition: selection
falsepositives:
    - Applications that are input constrained will need to use device code flow and are valid authentications.
level: medium
medium
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 55695bc0-c8cf-461f-a379-2535f563c854
view Sigma YAML 
title: Applications That Are Using ROPC Authentication Flow
id: 55695bc0-c8cf-461f-a379-2535f563c854
status: test
description: |
    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
    The application then uses those credentials to authenticate the user against the identity provider.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        properties.message: ROPC
    condition: selection
falsepositives:
    - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
level: medium
Showing 1-50 of 102
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin