Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

10 rules found for "Harjot Singh"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

User Risk and MFA Registration Policy Updated

Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

Azureauditlogs
TA0003 · Persistence
Harjot SinghTue Aug 13cloud
Detectionmediumtest

Multi Factor Authentication Disabled For User Account

Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.

Azureauditlogs
TA0006 · Credential AccessTA0003 · Persistence
Harjot SinghWed Aug 21cloud
Detectionhightest

Suspicious SignIns From A Non Registered Device

Detects risky authentication from a non AD registered device without MFA being required.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense Evasion+1
Harjot SinghTue Jan 10cloud
Detectionhightest

Potential MFA Bypass Using Legacy Client Authentication

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Harjot SinghMon Mar 20cloud
Detectionhightest

Disabling Multi Factor Authentication

Detects disabling of Multi Factor Authentication.

Microsoft 365audit
TA0003 · PersistenceTA0005 · Defense EvasionTA0006 · Credential AccessT1556.006 · Multi-Factor Authentication
Splunk Threat Research Team (original rule)+1Mon Sep 18cloud
Detectionmediumtest

New Federated Domain Added

Detects the addition of a new Federated Domain.

Microsoft 365audit
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1484.002 · Trust Modification
Splunk Threat Research Team (original rule)+1Mon Sep 18cloud
Detectionhightest

Java Payload Strings

Detects possible Java payloads in web access logs

Web Server Log
cve.2022-26134cve.2021-26084TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
François Hubaut+2Sat Jun 04web
Detectionmediumtest

Uncommon Child Process Spawned By Odbcconf.EXE

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.

WindowsProcess Creation
TA0005 · Defense EvasionT1218.008 · Odbcconf
Harjot SinghMon May 22windows
Detectionhightest

PowerShell Base64 Encoded Invoke Keyword

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

WindowsProcess Creation
TA0002 · ExecutionT1059.001 · PowerShellTA0005 · Defense EvasionT1027 · Obfuscated Files or Information
Martin Mueller+1Fri May 20windows
Detectionhightest

Potential Rundll32 Execution With DLL Stored In ADS

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

WindowsProcess Creation
TA0005 · Defense EvasionT1564.004 · NTFS File Attributes
Harjot SinghSat Jan 21windows