Sigma Rules
171 rules found for "impact"
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
Google Workspace Role Privilege Deleted
Detects when an a role privilege is deleted in Google Workspace.
Activity Performed by Terminated User
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
Microsoft 365 - Potential Ransomware Activity
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Microsoft 365 - Unusual Volume of File Deletion
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
Okta API Token Revoked
Detects when a API Token is revoked.
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
Okta User Account Locked Out
Detects when an user account is locked out.
OneLogin User Assumed Another User
Detects when an user assumed another user account.
OneLogin User Account Locked
Detects when an user account is locked or suspended.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
Suspicious MacOS Firmware Activity
Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
Cisco File Deletion
See what files are being deleted from flash file systems
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Nginx Core Dump
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Application Uninstalled
An application has been removed. Check if it is critical.