Sigma Rules
115 rules found for "Austin Songer"
AWS EFS Fileshare Modified or Deleted
Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
AWS EFS Fileshare Mount Modified or Deleted
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
AWS ElastiCache Security Group Created
Detects when an ElastiCache security group has been created.
AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
AWS New Lambda Layer Attached
Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.
AWS Glue Development Endpoint Activity
Detects possible suspicious glue development endpoint activity.
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
AWS S3 Data Management Tampering
Detects when a user tampers with S3 data management in Amazon Web Services.
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Azure Application Deleted
Identifies when a application is deleted in Azure.
Azure Application Gateway Modified or Deleted
Identifies when a application gateway is modified or deleted.
Azure Application Security Group Modified or Deleted
Identifies when a application security group is modified or deleted.
Azure Container Registry Created or Deleted
Detects when a Container Registry is created or deleted.
Azure Device No Longer Managed or Compliant
Identifies when a device in azure is no longer managed or compliant
Azure Device or Configuration Modified or Deleted
Identifies when a device or device configuration in azure is modified or deleted.
Azure DNS Zone Modified or Deleted
Identifies when DNS zone is modified or deleted.
Azure Firewall Modified or Deleted
Identifies when a firewall is created, modified, or deleted.
Azure Firewall Rule Collection Modified or Deleted
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Azure Keyvault Key Modified or Deleted
Identifies when a Keyvault Key is modified or deleted in Azure.
Azure Key Vault Modified or Deleted
Identifies when a key vault is modified or deleted.
Azure Keyvault Secrets Modified or Deleted
Identifies when secrets are modified or deleted in Azure.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
Azure Kubernetes CronJob
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes Pods Deleted
Identifies the deletion of Azure Kubernetes Pods.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Azure Kubernetes Sensitive Role Access
Identifies when ClusterRoles/Roles are being modified or deleted.
Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
Azure Network Firewall Policy Modified or Deleted
Identifies when a Firewall Policy is Modified or Deleted.
Azure Firewall Rule Configuration Modified or Deleted
Identifies when a Firewall Rule Configuration is Modified or Deleted.
Azure Point-to-site VPN Modified or Deleted
Identifies when a Point-to-site VPN is Modified or Deleted.
Azure Network Security Configuration Modified or Deleted
Identifies when a network security configuration is modified or deleted.
Azure Virtual Network Device Modified or Deleted
Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Azure New CloudShell Created
Identifies when a new cloudshell is created inside of Azure portal.
Azure Owner Removed From Application or Service Principal
Identifies when a owner is was removed from a application or service principal in Azure.
Azure Service Principal Created
Identifies when a service principal is created in Azure.
Azure Service Principal Removed
Identifies when a service principal was removed in Azure.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Azure Suppression Rule Created
Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
Azure Virtual Network Modified or Deleted
Identifies when a Virtual Network is modified or deleted in Azure.
Azure VPN Connection Modified or Deleted
Identifies when a VPN connection is modified or deleted.