Sigma Rules
12 rules found for "Harjot Singh"
User Risk and MFA Registration Policy Updated
Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
New Federated Domain Added
Detects the addition of a new Federated Domain.
Java Payload Strings
Detects possible Java payloads in web access logs
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
Diskshadow Child Process Spawned
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.