Home/Sigma rules
Sigma

Sigma detection rules

19 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

19 shown of 19
high
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
status test author Michael McIntyre @wtfender id d3adb3ef-b7e7-4003-9092-1924c797db35
view Sigma YAML 
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource:
            - 'sso-directory.amazonaws.com'
            - 'sso.amazonaws.com'
        eventName:
            - 'AssociateDirectory'
            - 'DisableExternalIdPConfigurationForDirectory'
            - 'DisassociateDirectory'
            - 'EnableExternalIdPConfigurationForDirectory'
    condition: selection
falsepositives:
    - Authorized changes to the AWS account's identity provider
level: high
high
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
status test author Nischal Khadgi id b61e87c0-50db-4b2e-8986-6a2be94b33b0
view Sigma YAML 
title: Directory Service Restore Mode(DSRM) Registry Value Tampering
id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
related:
    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
      type: similar
status: test
description: |
    Detects changes to "DsrmAdminLogonBehavior" registry value.
    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
    If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
    If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
    If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
references:
    - https://adsecurity.org/?p=1785
    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
author: Nischal Khadgi
date: 2024-07-11
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
    filter_main_default_value:
        Details: 'DWORD (0x00000000)' # Default value
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
status test author Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) id 60de9b57-dc4d-48b9-a6a0-b39e0469f876
view Sigma YAML 
title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation|contains: 'Disable Strong Authentication.'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
status test author Muhammad Faisal (@faisalusuf) id 8622c92d-c00e-463c-b09d-fd06166f6794
view Sigma YAML 
title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_advanced_security.disabled_for_new_repos'
            - 'business_advanced_security.disabled_for_new_user_namespace_repos'
            - 'business_advanced_security.disabled'
            - 'business_advanced_security.user_namespace_repos_disabled'
            - 'org.advanced_security_disabled_for_new_repos'
            - 'org.advanced_security_disabled_on_all_repos'
            - 'org.advanced_security_policy_selected_member_disabled'
            - 'org.disable_oauth_app_restrictions'
            - 'org.disable_two_factor_requirement'
            - 'repo.advanced_security_disabled'
    condition: selection
falsepositives:
    - Approved administrator/owner activities.
level: high
high
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
status test author Nasreddine Bencherchali (Nextron Systems), Elastic (idea) id f598ea0c-c25a-4f72-a219-50c44411c791
view Sigma YAML 
title: Possible Shadow Credentials Added
id: f598ea0c-c25a-4f72-a219-50c44411c791
status: test
description: Detects possible addition of shadow credentials to an active directory object.
references:
    - https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html
    - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
    - https://twitter.com/SBousseaden/status/1581300963650187264?
author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: windows
    service: security
    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
    selection:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-KeyCredentialLink'
        # If you experience a lot of FP you could uncomment the selection below
        # There could be other cases for other tooling add them accordingly
        # AttributeValue|contains: 'B:828'
        # OperationType: '%%14674' # Value Added
    # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
    # Uncomment the filter below and add the account name (or any other specific field) accordingly
    # Don't forget to add it to the condition section below
    # filter:
        # SubjectUserName: "%name%"
    condition: selection
falsepositives:
    - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)
level: high
high
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
view Sigma YAML 
title: Powershell Install a DLL in System Directory
id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
status: test
description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2024-01-22
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)'
    condition: selection
falsepositives:
    - Unknown
level: high
medium
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
status test author Corissa Koopmans, '@corissalea' id 26e7c5e2-6545-481e-b7e6-050143459635
view Sigma YAML 
title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Delete conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
medium
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
status test author Corissa Koopmans, '@corissalea' id 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
view Sigma YAML 
title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
modified: 2024-05-28
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
medium
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
status test author Harjot Shah Singh, '@cyb3rjy0t' id c2496b41-16a9-4016-a776-b23f8910dc58
view Sigma YAML 
title: Certificate-Based Authentication Enabled
id: c2496b41-16a9-4016-a776-b23f8910dc58
status: test
description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
references:
    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        OperationName: 'Authentication Methods Policy Update'
        TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
status test author AlertIQ id 4d78a000-ab52-4564-88a5-7ab5242b20c7
view Sigma YAML 
title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: test
description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
    - attack.persistence
    - attack.t1098
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        LoggedByService: 'Authentication Methods'
        Category: 'UserManagement'
        OperationName: 'User registered security info'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
status experimental author Luc Génaux id ef0ff092-a24a-4fbc-beea-06c08d53e085
view Sigma YAML 
title: Cisco Dot1x Disabled
id: ef0ff092-a24a-4fbc-beea-06c08d53e085
status: experimental
description: |
    Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
    Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
    This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
references:
    - https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680 # Modern IOS-XE
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_010.html#wp3502072400 # Older IOS
    - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html#47220 # Legacy
author: Luc Génaux
date: 2026-04-28
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1685
    - attack.t1556.004
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        # xxx port-control force-authorized : disables 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required
        # no xxx port-control : causes the port to fallback to the default setting which is "force-authorized", thereby disabling 802.1X
        - 'access-session port-control force-authorized' # Modern IOS-XE
        - 'authentication port-control force-authorized' # Older IOS
        - 'dot1x port-control force-authorized' # Legacy
        - 'no access-session port-control' # Modern IOS-XE
        - 'no authentication port-control' # Older IOS
        - 'no dot1x port-control' # Legacy
        - 'no dot1x system-auth-control' # disables 802.1X globally
    condition: keywords
falsepositives:
    - Administrator troubleshooting connectivity issues
level: medium
# regression_tests_path: regression_data/rules/cisco/aaa/cisco_cli_dot1x_disabled/info.yml
medium
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
status test author @ionsor id 7ea78478-a4f9-42a6-9dcd-f861816122bf
view Sigma YAML 
title: Disabled MFA to Bypass Authentication Mechanisms
id: 7ea78478-a4f9-42a6-9dcd-f861816122bf
status: test
description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
references:
    - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
author: '@ionsor'
date: 2022-02-08
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        eventSource: AzureActiveDirectory
        eventName: 'Disable Strong Authentication.'
        status: success
    condition: selection
falsepositives:
    - Authorized modification by administrators
level: medium
medium
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
status test author Sreeman id b7966f4a-b333-455b-8370-8ca53c229762
view Sigma YAML 
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmdline:
        CommandLine|contains|all:
            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
            - 'scecli\0*'
            - 'reg add'
    condition: selection_cmdline
falsepositives:
    - Unknown
level: medium
medium
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
status test author Harjot Shah Singh, '@cyb3rjy0t' id 4bb80281-3756-4ec8-a88e-523c5a6fda9e
view Sigma YAML 
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        OperationName: 'Set Company Information'
        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
status test author Austin Songer @austinsonger id 50e068d7-1e6b-4054-87e5-0a592c40c7e0
view Sigma YAML 
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating  or resetting MFA.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - user.mfa.factor.deactivate
            - user.mfa.factor.reset_all
    condition: selection
falsepositives:
    - If a MFA reset or deactivated was performed by a system administrator.
level: medium
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
status test author Janantha Marasinghe id c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
view Sigma YAML 
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium
medium
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
status test author Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' id 91c95675-1f27-46d0-bead-d1ae96b97cd3
view Sigma YAML 
title: User Added To Group With CA Policy Modification Access
id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
status: test
description: Monitor and alert on group membership additions of groups that have CA policy modification access
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add member from group
    condition: selection
falsepositives:
    - User removed from the group is approved
level: medium
medium
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
status test author Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' id 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
view Sigma YAML 
title: User Removed From Group With CA Policy Modification Access
id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
status: test
description: Monitor and alert on group membership removal of groups that have CA policy modification access
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Remove member from group
    condition: selection
falsepositives:
    - User removed from the group is approved
level: medium
low
Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
status test author MikeDuddington, '@dudders1' id 28eea407-28d7-4e42-b0be-575d5ba60b2c
view Sigma YAML 
title: Azure AD Only Single Factor Authentication Required
id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
status: test
description: Detect when users are authenticating without MFA being required.
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.defense-impairment
    - attack.t1078.004
    - attack.t1556.006
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: low
Showing 1-19 of 19
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin