Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1,701 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1569.002 · Service Execution
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
T1087 · Account DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
TA0007 · DiscoveryT1033 · System Owner/User Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Potential SpEL Injection In Spring Framework

Detects potential SpEL Injection exploitation, which may lead to RCE.

springapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhightest

Suspicious SQL Error Messages

Detects SQL error messages that indicate probing for an injection attack

sqlapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Bjoern KimminichMon Nov 27application
Detectionhightest

Potential Server Side Template Injection In Velocity

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

velocityapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Moti HarmatsSat Feb 11application
Detectionhighstable

Antivirus Hacktool Detection

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Antivirus Alert
TA0002 · ExecutionT1204 · User Execution
Florian Roth (Nextron Systems)+1Mon Aug 16category
Detectionhightest

Antivirus Relevant File Paths Alerts

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Antivirus Alert
TA0042 · Resource DevelopmentT1588 · Obtain Capabilities
Florian Roth (Nextron Systems)+1Sun Sep 09category
Detectionhightest

Antivirus Web Shell Detection

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Antivirus Alert
TA0003 · PersistenceT1505.003 · Web Shell
Florian Roth (Nextron Systems)+1Sun Sep 09category
Detectionhighexperimental

AWS GuardDuty Detector Deleted Or Updated

Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.

AWScloudtrail
TA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1562.008 · Disable or Modify Cloud Logs
suktech24Thu Nov 27cloud
Detectionhightest

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

AWScloudtrail
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0003 · Persistence+2
jamesc-grafanaThu Jul 11cloud
Detectionhightest

Potential Malicious Usage of CloudTrail System Manager

Detect when System Manager successfully executes commands against an instance.

AWScloudtrail
TA0004 · Privilege EscalationTA0001 · Initial AccessT1566 · PhishingT1566.002 · Spearphishing Link
jamesc-grafanaThu Jul 11cloud
Detectionhighexperimental

AWS VPC Flow Logs Deleted

Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call. Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.

AWScloudtrail
TA0005 · Defense Evasion
Ivan SaakovSun Oct 19cloud
Detectionhightest

AWS Config Disabling Channel/Recorder

Detects AWS Config Service disabling

AWScloudtrail
TA0005 · Defense EvasionT1562.008 · Disable or Modify Cloud Logs
vitaliy0x1Tue Jan 21cloud
Detectionhightest

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

AWScloudtrail
TA0002 · ExecutionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix Shell
falokerWed Feb 12cloud
Detectionhightest

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

AWScloudtrail
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
falokerTue Feb 11cloud
Detectionhightest

AWS IAM S3Browser LoginProfile Creation

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

AWScloudtrail
TA0002 · ExecutionTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
daniel.bohannonWed May 17cloud
Detectionhightest

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".

AWScloudtrail
TA0002 · ExecutionT1059.009 · Cloud APITA0003 · PersistenceTA0005 · Defense Evasion+3
daniel.bohannonWed May 17cloud
Detectionhightest

AWS IAM S3Browser User or AccessKey Creation

Detects S3 Browser utility creating IAM User or AccessKey.

AWScloudtrail
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceTA0005 · Defense Evasion+3
daniel.bohannonWed May 17cloud
Detectionhighexperimental

AWS KMS Imported Key Material Usage

Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.

AWScloudtrail
TA0040 · ImpactT1486 · Data Encrypted for ImpactTA0042 · Resource DevelopmentT1608.003 · Install Digital Certificate
toopriceySat Oct 18cloud
Detectionhighexperimental

Modification or Deletion of an AWS RDS Cluster

Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.

AWScloudtrail
TA0010 · ExfiltrationT1020 · Automated Exfiltration
Ivan SaakovFri Dec 06cloud
Detectionhightest

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

AWScloudtrail
TA0010 · ExfiltrationT1020 · Automated Exfiltration
falokerWed Feb 12cloud
Detectionhighstable

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

AWScloudtrail
TA0005 · Defense EvasionT1562 · Impair Defenses
Sittikorn SMon Jun 28cloud
Detectionhightest

AWS Identity Center Identity Provider Change

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

AWScloudtrail
TA0003 · PersistenceTA0006 · Credential AccessTA0005 · Defense EvasionT1556 · Modify Authentication Process
Michael McIntyreWed Sep 27cloud
Detectionhightest

AWS User Login Profile Was Modified

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

AWScloudtrail
TA0003 · PersistenceTA0004 · Privilege EscalationT1098 · Account Manipulation
toffeebr33kMon Aug 09cloud
Detectionhightest

Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Azureactivitylogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+1
Austin SongerFri Nov 26cloud
Detectionhightest

Account Created And Deleted Within A Close Time Frame

Detects when an account was created and deleted in a short period of time.

Azureauditlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense Evasion+1
Mark Morowczynski+2Thu Aug 11cloud
Detectionhightest

Changes to Device Registration Policy

Monitor and alert for changes to the device registration policy.

Azureauditlogs
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1484 · Domain or Tenant Policy Modification
Michael EppingTue Jun 28cloud
Detectionhightest

Users Added to Global or Device Admin Roles

Monitor and alert for users added to device admin roles.

Azureauditlogs
TA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense EvasionTA0004 · Privilege Escalation+1
Michael EppingTue Jun 28cloud
Detectionhightest

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · PersistenceTA0006 · Credential Access+3
Mark Morowczynski+1Thu Jun 02cloud
Detectionhightest

Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Azureauditlogs
TA0004 · Privilege EscalationT1098.001 · Additional Cloud CredentialsTA0003 · Persistence
Mark Morowczynski+1Thu May 26cloud
Detectionhightest

Delegated Permissions Granted For All Users

Detects when highly privileged delegated permissions are granted on behalf of all users

Azureauditlogs
TA0006 · Credential AccessT1528 · Steal Application Access Token
Bailey Bercik+1Thu Jul 28cloud
Detectionhightest

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Azureauditlogs
TA0006 · Credential AccessT1528 · Steal Application Access Token
Bailey Bercik+1Sun Jul 10cloud
Detectionhightest

App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Azureauditlogs
TA0003 · PersistenceTA0004 · Privilege EscalationT1098.003 · Additional Cloud Roles
Bailey Bercik+1Thu Jul 28cloud
Detectionhightest

Application URI Configuration Changes

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionT1528 · Steal Application Access TokenT1078.004 · Cloud Accounts+3
Mark Morowczynski+1Thu Jun 02cloud
Detectionhightest

Windows LAPS Credential Dump From Entra ID

Detects when an account dumps the LAPS password from Entra ID.

Azureauditlogs
TA0004 · Privilege EscalationTA0003 · PersistenceT1098.005 · Device Registration
andrewdanisWed Jun 26cloud
Detectionhightest

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Azureauditlogs
TA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense EvasionTA0004 · Privilege Escalation+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

PIM Alert Setting Changes To Disabled

Detects when PIM alerts are set to disabled.

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

Changes To PIM Settings

Detects when changes are made to PIM roles

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · Persistence+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

User Added To Privilege Role

Detects when a user is added to a privileged role.

Azureauditlogs
TA0003 · PersistenceTA0001 · Initial AccessTA0004 · Privilege EscalationTA0005 · Defense Evasion+1
Mark Morowczynski+1Sat Aug 06cloud
Detectionhightest

Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Azureauditlogs
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Mark Morowczynski+1Fri Aug 05cloud
Detectionhightest

Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Azureauditlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+1
Austin SongerFri Nov 26cloud
Detectionhightest

Temporary Access Pass Added To An Account

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Azureauditlogs
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+1
Mark Morowczynski+1Wed Aug 10cloud
Detectionhightest

User Risk and MFA Registration Policy Updated

Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

Azureauditlogs
TA0003 · Persistence
Harjot SinghTue Aug 13cloud
Detectionhightest

Anomalous Token

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Azureriskdetection
T1528 · Steal Application Access TokenTA0006 · Credential Access
Mark MorowczynskiMon Aug 07cloud
Detectionhightest

Anomalous User Activity

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Azureriskdetection
TA0004 · Privilege EscalationT1098 · Account ManipulationTA0003 · Persistence
Mark Morowczynski+1Sun Sep 03cloud
12336