title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.stealth
    - attack.t1078.004
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.t1531
    - attack.impact
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'DeleteSAMLProvider'
        status: 'success'
    condition: selection
falsepositives:
    - Automated processes using tools like Terraform may trigger this alert.
    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium

title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1531
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
    condition: selection
falsepositives:
    - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
    - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name|endswith:
            - .serviceAccounts.disable
            - .serviceAccounts.delete
    condition: selection
falsepositives:
    - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: test
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
    - https://linuxize.com/post/how-to-delete-group-in-linux/
    - https://www.cyberciti.biz/faq/linux-remove-user-command/
    - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
    - https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/groupdel'
    condition: selection
falsepositives:
    - Legitimate administrator activities
level: medium

title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
status: test
description: Detects when an user account is locked out.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: okta
    service: okta
detection:
    selection:
        displayMessage: Max sign in attempts exceeded
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Remove-ADGroupMember'
            - '-Identity '
            - '-Members '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
    - https://linuxize.com/post/how-to-delete-group-in-linux/
    - https://www.cyberciti.biz/faq/linux-remove-user-command/
    - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
    - https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/userdel'
    condition: selection
falsepositives:
    - Legitimate administrator activities
level: medium

title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
status: test
description: Identifies when an ElastiCache security group has been modified or deleted.
references:
    - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticache.amazonaws.com
        eventName:
            - 'DeleteCacheSecurityGroup'
            - 'AuthorizeCacheSecurityGroupIngress'
            - 'RevokeCacheSecurityGroupIngress'
            - 'AuthorizeCacheSecurityGroupEgress'
            - 'RevokeCacheSecurityGroupEgress'
    condition: selection
falsepositives:
    - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.


level: low

title: User Logoff Event
id: 0badd08f-c6a3-4630-90d3-6875cca440be
status: test
description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
references:
    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647
author: frack113
date: 2022-10-14
tags:
    - attack.impact
    - attack.t1531
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID:
            - 4634
            - 4647
    condition: selection
falsepositives:
    - Unknown
level: informational