Sigma Rules
1,585 rules found for "defense-evasion"
Bitbucket Global Secret Scanning Rule Deleted
Detects Bitbucket global secret scanning rule deletion activity.
Bitbucket Global SSH Settings Changed
Detects Bitbucket global SSH access configuration changes.
Bitbucket Audit Log Configuration Updated
Detects changes to the bitbucket audit log configuration.
Bitbucket Project Secret Scanning Allowlist Added
Detects when a secret scanning allowlist rule is added for projects.
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Bitbucket Secret Scanning Rule Deleted
Detects when secret scanning rule is deleted for the project or repository.
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
Github Push Protection Bypass Detected
Detects when a user bypasses the push protection on a secret detected by secret scanning.
Github Push Protection Disabled
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
GitHub Repository Archive Status Changed
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
Github Secret Scanning Feature Disabled
Detects if the secret scanning feature is disabled for an enterprise or repository.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
AWS CloudTrail Important Change
Detects disabling, deleting and updating of a Trail
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call. Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
AWS Console GetSigninToken Potential Abuse
Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
SES Identity Has Been Deleted
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
AWS Root Credentials
Detects AWS root account usage
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Azure Active Directory Hybrid Health AD FS New Server
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
Azure Active Directory Hybrid Health AD FS Service Delete
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.