Sigma Rules
3,116 rules found
Okta API Token Revoked
Detects when a API Token is revoked.
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Potential Okta Password in AlternateID Field
Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
Okta User Account Locked Out
Detects when an user account is locked out.
New Okta User Created
Detects new user account creation
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
OneLogin User Assumed Another User
Detects when an user assumed another user account.
OneLogin User Account Locked
Detects when an user account is locked or suspended.
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
File or Folder Permissions Change
Detects file and folder permission changes.
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Steganography Hide Files with Steghide
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Steganography Unzip Hidden Information From Picture File
Detects extracting of zip file from image file
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.