Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.

AWScloudtrail

TA0010 · ExfiltrationT1020 · Automated Exfiltration

Ivan SaakovFri Dec 06cloud

Detectionhightest

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

AWScloudtrail

TA0010 · ExfiltrationT1020 · Automated Exfiltration

falokerWed Feb 12cloud

Detectionmediumtest

AWS Root Credentials

Detects AWS root account usage

AWScloudtrail

TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0003 · Persistence+1

vitaliy0x1Tue Jan 21cloud

Detectionlowtest

AWS Route 53 Domain Transfer Lock Disabled

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

AWScloudtrail

TA0003 · PersistenceTA0004 · Privilege EscalationTA0006 · Credential AccessT1098 · Account Manipulation

Elastic Security+1Thu Jul 22cloud

Detectionlowtest

AWS Route 53 Domain Transferred to Another Account

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

AWScloudtrail

TA0003 · PersistenceTA0006 · Credential AccessTA0004 · Privilege EscalationT1098 · Account Manipulation

Elastic Security+1Thu Jul 22cloud

Detectionlowtest

AWS S3 Data Management Tampering

Detects when a user tampers with S3 data management in Amazon Web Services.

AWScloudtrail

TA0010 · ExfiltrationT1537 · Transfer Data to Cloud Account

Austin SongerSat Jul 24cloud

Detectionhighstable

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

AWScloudtrail

TA0005 · Defense EvasionT1562 · Impair Defenses

Sittikorn SMon Jun 28cloud

Detectionmediumtest

AWS Snapshot Backup Exfiltration

Detects the modification of an EC2 snapshot's permissions to enable access from another account

AWScloudtrail

TA0010 · ExfiltrationT1537 · Transfer Data to Cloud Account

Darin SmithMon May 17cloud

Detectionhightest

AWS Identity Center Identity Provider Change

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

AWScloudtrail

TA0003 · PersistenceTA0006 · Credential AccessTA0005 · Defense EvasionT1556 · Modify Authentication Process

Michael McIntyreWed Sep 27cloud

Detectionlowtest

AWS STS AssumeRole Misuse

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWScloudtrail

TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0005 · Defense EvasionT1548 · Abuse Elevation Control Mechanism+2

Austin SongerSat Jul 24cloud

Detectionmediumexperimental

AWS STS GetCallerIdentity Enumeration Via TruffleHog

Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.

AWScloudtrail

TA0007 · DiscoveryT1087.004 · Cloud Account

Adan AlvarezSun Oct 12cloud

Detectionlowtest

AWS STS GetSessionToken Misuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWScloudtrail

TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0005 · Defense EvasionT1548 · Abuse Elevation Control Mechanism+2

Austin SongerSat Jul 24cloud

Detectionmediumtest

AWS Suspicious SAML Activity

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

AWScloudtrail

TA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral MovementTA0003 · Persistence+5

Austin SongerWed Sep 22cloud

Detectionhightest

AWS User Login Profile Was Modified

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

AWScloudtrail

TA0003 · PersistenceTA0004 · Privilege EscalationT1098 · Account Manipulation

toffeebr33kMon Aug 09cloud

Detectionmediumtest

Azure Active Directory Hybrid Health AD FS New Server

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Azureactivitylogs

TA0005 · Defense EvasionT1578 · Modify Cloud Compute Infrastructure

Roberto Rodriguez (Cyb3rWard0g)+2Thu Aug 26cloud

Detectionmediumtest

Azure Active Directory Hybrid Health AD FS Service Delete

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Azureactivitylogs

TA0005 · Defense EvasionT1578.003 · Delete Cloud Instance

Roberto Rodriguez (Cyb3rWard0g)+2Thu Aug 26cloud

Detectionmediumtest

User Added to an Administrator's Azure AD Role

Azureactivitylogs

TA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+2

Raphaël CALVETMon Oct 04cloud

Detectionmediumtest

Azure Application Deleted

Identifies when a application is deleted in Azure.

Azureactivitylogs

TA0005 · Defense EvasionTA0040 · ImpactT1489 · Service Stop

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure Application Gateway Modified or Deleted

Identifies when a application gateway is modified or deleted.

Azureactivitylogs

TA0040 · Impact

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Application Security Group Modified or Deleted

Identifies when a application security group is modified or deleted.

Azureactivitylogs

TA0040 · Impact

Austin SongerMon Aug 16cloud

Detectionlowtest

Azure Container Registry Created or Deleted

Detects when a Container Registry is created or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1496 · Resource HijackingT1489 · Service Stop

Austin SongerSat Aug 07cloud

Detectionmediumtest

Number Of Resource Creation Or Deployment Activities

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Azureactivitylogs

TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation

sawwinnnaungThu May 07cloud

Detectionmediumtest

Azure Device No Longer Managed or Compliant

Identifies when a device in azure is no longer managed or compliant

Azureactivitylogs

TA0040 · Impact

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure Device or Configuration Modified or Deleted

Identifies when a device or device configuration in azure is modified or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1565.001 · Stored Data Manipulation

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure DNS Zone Modified or Deleted

Identifies when DNS zone is modified or deleted.

Azureactivitylogs

TA0040 · ImpactT1565.001 · Stored Data Manipulation

Austin SongerSun Aug 08cloud

Detectionmediumtest

Azure Firewall Modified or Deleted

Identifies when a firewall is created, modified, or deleted.

Azureactivitylogs

TA0040 · ImpactTA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Austin SongerSun Aug 08cloud

Detectionmediumtest

Azure Firewall Rule Collection Modified or Deleted

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Azureactivitylogs

TA0040 · ImpactTA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Austin SongerSun Aug 08cloud

Detectionmediumtest

Granting Of Permissions To An Account

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Azureactivitylogs

TA0004 · Privilege EscalationTA0003 · PersistenceT1098.003 · Additional Cloud Roles

sawwinnnaungThu May 07cloud

Detectionmediumtest

Azure Keyvault Key Modified or Deleted

Identifies when a Keyvault Key is modified or deleted in Azure.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Key Vault Modified or Deleted

Identifies when a key vault is modified or deleted.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Keyvault Secrets Modified or Deleted

Identifies when secrets are modified or deleted in Azure.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Kubernetes Admission Controller

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Azureactivitylogs

TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+4

Austin SongerThu Nov 25cloud

Detectionlowtest

Azure Kubernetes Cluster Created or Deleted

Detects when a Azure Kubernetes Cluster is created or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1496 · Resource HijackingT1489 · Service Stop

Austin SongerSat Aug 07cloud

Detectionmediumtest

Azure Kubernetes CronJob

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Azureactivitylogs

TA0003 · PersistenceT1053.003 · CronTA0004 · Privilege EscalationTA0002 · Execution

Austin SongerMon Nov 22cloud

Detectionmediumtest