Sigma Rules
1,585 rules found for "defense-evasion"
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Azure Application Deleted
Identifies when a application is deleted in Azure.
Azure Firewall Modified or Deleted
Identifies when a firewall is created, modified, or deleted.
Azure Firewall Rule Collection Modified or Deleted
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Azure Network Firewall Policy Modified or Deleted
Identifies when a Firewall Policy is Modified or Deleted.
Azure Owner Removed From Application or Service Principal
Identifies when a owner is was removed from a application or service principal in Azure.
Azure Service Principal Created
Identifies when a service principal is created in Azure.
Azure Service Principal Removed
Identifies when a service principal was removed in Azure.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Bitlocker Key Retrieval
Monitor and alert for Bitlocker key retrieval.
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Azure Domain Federation Settings Modified
Identifies when an user or application modified the federation settings on the domain.
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
Changes To PIM Settings
Detects when changes are made to PIM roles
User Added To Privilege Role
Detects when a user is added to a privileged role.
Privileged Account Creation
Detects when a new admin is created.
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
Password Reset By User Account
Detect when a user has reset their password in Azure AD
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Inbox Manipulation Rules
Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.