Sigma Rules
801 rules found for "privilege-escalation"
Bitbucket Global Permission Changed
Detects global permissions change activity.
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
Kubernetes Unauthorized or Unauthenticated Access
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
AWS IAM Backdoor Users Keys
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
New AWS Lambda Function URL Configuration Created
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
AWS New Lambda Layer Attached
Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.
AWS Glue Development Endpoint Activity
Detects possible suspicious glue development endpoint activity.
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
AWS Root Credentials
Detects AWS root account usage
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
Granting Of Permissions To An Account
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes CronJob
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.