Sigma Rules
382 rules found for "credential-access"
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
OpenCanary - MSSQL Login Attempt Via SQLAuth
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
OpenCanary - MySQL Login Attempt
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
OpenCanary - REDIS Action Command Attempt
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
Azure Keyvault Key Modified or Deleted
Identifies when a Keyvault Key is modified or deleted in Azure.
Azure Key Vault Modified or Deleted
Identifies when a key vault is modified or deleted.
Azure Keyvault Secrets Modified or Deleted
Identifies when secrets are modified or deleted in Azure.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
End User Consent
Detects when an end user consents to an application
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Password Reset By User Account
Detect when a user has reset their password in Azure AD
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Password Spray Activity
Indicates that a password spray attack has been successfully performed.
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
SAML Token Issuer Anomaly
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Successful Authentications From Countries You Do Not Operate Out Of
Detect successful authentications from countries you do not operate out of.
Failed Authentications From Countries You Do Not Operate Out Of
Detect failed authentications from countries you do not operate out of.