EXPLORE
Sign In

EXPLORE DETECTIONS

🔍
All SourcesSigmaSplunk ESCUElasticKQLSublimeCrowdStrike
3,115 detections found

Azure Kubernetes Service Account Modified or Deleted

Identifies when a service account is modified or deleted.

T1531T1485T1496T1489
Sigmamedium

Azure Login Bypassing Conditional Access Policies

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

T1078
Sigmahigh

Azure Network Firewall Policy Modified or Deleted

Identifies when a Firewall Policy is Modified or Deleted.

T1562.007
Sigmamedium

Azure Network Security Configuration Modified or Deleted

Identifies when a network security configuration is modified or deleted.

Sigmamedium

Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

T1059
Sigmamedium

Azure Owner Removed From Application or Service Principal

Identifies when a owner is was removed from a application or service principal in Azure.

Sigmamedium

Azure Point-to-site VPN Modified or Deleted

Identifies when a Point-to-site VPN is Modified or Deleted.

Sigmamedium

Azure Service Principal Created

Identifies when a service principal is created in Azure.

Sigmamedium

Azure Service Principal Removed

Identifies when a service principal was removed in Azure.

Sigmamedium

Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

T1078.004
Sigmahigh

Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

T1078
Sigmahigh

Azure Suppression Rule Created

Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.

Sigmamedium

Azure Unusual Authentication Interruption

Detects when there is a interruption in the authentication process.

T1078
Sigmamedium

Azure Virtual Network Device Modified or Deleted

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Sigmamedium

Azure Virtual Network Modified or Deleted

Identifies when a Virtual Network is modified or deleted in Azure.

Sigmamedium

Azure VPN Connection Modified or Deleted

Identifies when a VPN connection is modified or deleted.

Sigmamedium

BaaUpdate.exe Suspicious DLL Load

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.

T1218T1021.003
Sigmahigh

Backup Catalog Deleted

Detects backup catalog deletions

T1070.004
Sigmamedium

Backup Files Deleted

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

T1490
Sigmamedium

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

T1218.011
Sigmahigh

Bad Opsec Powershell Code Artifacts

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

T1059.001
Sigmacritical

Base64 Encoded PowerShell Command Detected

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

T1027T1140T1059.001
Sigmahigh

Base64 MZ Header In CommandLine

Detects encoded base64 MZ header in the commandline

Sigmahigh

Bash Interactive Shell

Detects execution of the bash shell with the interactive flag "-i".

Sigmalow
PreviousPage 10 of 130Next