Sigma Rules
1,585 rules found for "defense-evasion"
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
Successful Authentications From Countries You Do Not Operate Out Of
Detect successful authentications from countries you do not operate out of.
Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
Measurable Increase Of Successful Authentications
Detects when successful sign-ins increased by 10% or greater.
Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication
Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
Failed Authentications From Countries You Do Not Operate Out Of
Detect failed authentications from countries you do not operate out of.
Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.
Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
New Federated Domain Added
Detects the addition of a new Federated Domain.
Microsoft 365 - Impossible Travel Activity
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
Cisco Duo Successful MFA Authentication Via Bypass Code
Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
File or Folder Permissions Change
Detects file and folder permission changes.
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.