LoFP
/
t1078
t1078
Title
Tags
a legitimate new admin account being created
t1078
t1078.004
azure
sigma
a non malicious user is unaware of the proper process
t1078
t1078.004
azure
sigma
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services
t1078
t1078.002
aws
sigma
a user may report suspicious activity on their okta account in error.
t1078
okta
elastic
a user sending emails using personal distribution folders may trigger the event.
t1078
o365
elastic
account disabled or blocked in error
t1078
t1078.004
azure
sigma
accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization
t1078
gcp account
splunk
actual admin using pim.
t1078
t1078.004
azure
sigma
administrator adding a legitimate temporary access pass
t1078
t1078.004
azure
sigma
administrator disabling pim alerts as an active choice.
t1078
azure
sigma
administrator powershell scripts
t1078
t1197
windows
sigma
administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. it is unlikely an external user account would be added to an organization's group where administrators should create a new user account.
t1078
google_workspace
elastic
administrators may use ec2 instances to interact with iam services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.
t1078
t1098
rules_building_block
elastic
administrators that use the runas command or scheduled tasks
t1078
windows
sigma
allowed administrative activities.
t1020
t1078
t1078.004
t1537
t1562
t1562.001
github
sigma
allowed self-hosted runners changes in the environment.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
an single endpoint authenticating to a large number of hosts is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.
t1078
endpoint
splunk
an single endpoint requesting a large number of computer service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.
t1078
endpoint
splunk
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
t1078
t1135
t1558.003
endpoint
splunk
anonymous access to the api server is a dangerous setting enabled by default. common anonymous connections (e.g., health checks) have been excluded from this rule. all other instances of authorized anonymous requests should be investigated.
t1078
kubernetes
elastic
applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
t1078
azure
sigma
applications that are input constrained will need to use device code flow and are valid authentications.
t1078
azure
sigma
attach to policy can create a lot of noise. this search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). the search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.
t1078
aws account
splunk
attacks using a golden saml or saml assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source ip sourceipaddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.
t1078
aws federated account
splunk
automated processes for infrastructure setup may trigger this alert.
t1078
aws
sigma
automated processes may need to take these actions and may need to be filtered.
t1078
t1552
t1552.007
kubernetes
sigma
automated processes that uses terraform may lead to false positives.
t1078
t1548
t1550
t1550.001
aws
sigma
automated processes using tools like terraform may trigger this alert.
t1078
t1078.004
t1531
aws
sigma
automation account has been blocked or disabled
t1078
t1078.004
azure
sigma
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
t1078
t1078.004
aws
sigma
azure kubernetes admissions controller may be done by a system administrator.
t1078
t1552
t1552.007
azure
sigma
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
t1078
t1110
ml
elastic
business travelers who roam to new locations may trigger this alert.
t1078
ml
elastic
connecting to a vpn, performing activity and then dropping and performing additional activity.
t1078
azure
sigma
controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives.
t1078
kubernetes
elastic
createrole is not very common in common users. this search can be adjusted to provide specific values to identify cases of abuse. in general aws provides plenty of trust policies that fit most use cases.
t1078
aws account
splunk
custom role creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. role creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
gcp
elastic
deletions by unfamiliar users should be investigated. if the behavior is known and expected, it can be exempted from the rule.
t1078
t1078.004
t1531
aws
sigma
developers may leverage third-party applications for legitimate purposes in google workspace such as for administrative tasks.
t1078
t1550
google_workspace
elastic
false positives may be generated by normal provisioning workflows for user device registration.
t1078
t1098.005
t1110
t1556.006
t1621
identity
splunk
false positives may occur when users are using a vpn or when users are traveling to different locations.
t1078
o365
elastic
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
t1078
t1110
okta tenant
splunk
federation settings being modified or deleted may be performed by a system administrator.
t1078
azure
sigma
federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
sigma
gcp oauth token abuse detection will only work if there are access policies in place along with audit logs.
t1078
gcp account
splunk
google cloud kubernetes admission controller may be done by a system administrator.
t1078
t1552
t1552.007
gcp
sigma
google workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.
t1078
google_workspace
elastic
guest user invitations may be sent out by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. guest user invitations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
elastic
high risk permissions are part of any gcp environment, however it is important to track resource and accounts usage, this search may produce false positives.
t1078
gcp account
splunk
if known behavior is causing false positives, it can be exempted from the rule.
t1053
t1053.003
t1074
t1078
t1552
t1552.007
azure
aws
gcp
sigma
if this was approved by system administrator or confirmed user action.
t1078
t1078.004
azure
sigma
if this was approved by system administrator.
t1078
t1078.004
t1110
t1556
t1556.006
azure
sigma
increase of users in the environment
t1078
azure
sigma
investigate if licenses have expired.
t1078
azure
sigma
investigate if potential generic account that cannot be removed.
t1078
azure
sigma
investigate if threshold setting in pim is too low.
t1078
azure
sigma
investigate if user is performing mfa at sign-in.
t1078
azure
sigma
investigate where if active time period for a role is set too short.
t1078
azure
sigma
investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.
t1078
azure
sigma
ipv4-to-ipv6 mapped ips
t1078
t1133
t1190
windows
sigma
it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.
t1078
aws
elastic
known legacy accounts
t1078
t1078.004
t1110
azure
sigma
legit administrative action
t1078
azure
sigma
legit administrative pim setting configuration changes
t1078
t1078.004
azure
sigma
legitimate administration activities
t1007
t1016
t1018
t1033
t1037
t1037.005
t1040
t1046
t1053
t1053.002
t1053.003
t1069
t1069.001
t1070
t1070.002
t1070.004
t1078
t1078.003
t1082
t1087
t1087.001
t1090
t1105
t1136
t1136.001
t1140
t1201
t1518
t1518.001
t1546
t1546.014
t1548
t1548.001
t1552
t1552.001
t1553
t1553.004
t1555
t1555.001
t1562
t1562.004
t1564
t1564.002
t1565
t1565.001
t1592
t1592.004
windows
macos
linux
sigma
legitimate administrative actions by authorized system administrators could cause this alert. verify the user identity, user agent, and hostname to ensure they are expected.
t1078
t1078.004
t1531
aws
sigma
legitimate administrative actions by authorized users importing keys for valid purposes.
t1078
aws
sigma
legitimate logon attempts over the internet
t1078
t1133
t1190
windows
sigma
legitimate or intentional inbound connections from public ip addresses on the smb port.
t1078
t1110
t1133
windows
sigma
legitimate user wrong password attempts.
t1021
t1021.004
t1078
t1078.004
t1110
bitbucket
sigma
legtimate administrator actions of adding members from a role
t1078
t1078.004
azure
sigma
misconfigured systems
t1078
t1078.004
t1110
azure
sigma
modifying the kubernetes admission controller may need to be done by a system administrator.
t1078
t1552
t1552.007
kubernetes
sigma
none.
t1078
t1078.004
t1207
t1222.001
t1484
endpoint
aws instance
splunk
not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.
t1078
aws account
splunk
payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects
t1078
gcp account
splunk
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
t1078
t1098
t1098.003
azure
sigma
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
t1078
azure tenant
o365 tenant
splunk
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
t1548
t1550
t1550.001
aws
sigma
service account misconfigured
t1078
t1078.004
t1110
azure
sigma
service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.
t1078
t1098
endpoint
splunk
sign-ins using powershell may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be signing into your environment. sign-ins from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
elastic
some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.
t1078
aws
elastic
sts:assumerole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. this search can be adjusted to provide specific values to identify cases of abuse.
t1078
aws account
splunk
the number of okta user password reset or account unlock attempts will likely vary between organizations. to fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.
t1078
okta
elastic
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
t1078
t1078.004
github
sigma
to tune this rule, add exceptions to exclude any event.code which should not trigger this rule.
t1078
cyberarkpas
elastic
uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
t1078
ml
elastic
unlikely
t1003
t1003.001
t1003.002
t1003.004
t1003.005
t1003.006
t1005
t1007
t1008
t1012
t1014
t1016
t1018
t1021
t1021.002
t1021.003
t1021.006
t1027
t1027.005
t1033
t1036
t1036.003
t1036.005
t1036.007
t1041
t1046
t1047
t1048
t1048.001
t1053
t1053.003
t1053.005
t1055
t1055.001
t1056
t1057
t1059
t1059.001
t1059.002
t1059.003
t1068
t1070
t1071
t1071.001
t1071.004
t1078
t1082
t1083
t1087
t1090
t1090.001
t1090.003
t1105
t1106
t1112
t1115
t1123
t1127
t1132
t1132.001
t1133
t1134
t1134.001
t1134.002
t1134.004
t1136
t1136.001
t1136.002
t1137
t1137.002
t1140
t1190
t1202
t1203
t1204
t1210
t1213
t1213.003
t1216
t1218
t1218.001
t1218.008
t1218.010
t1218.011
t1218.013
t1219
t1486
t1489
t1490
t1496
t1498
t1499
t1499.001
t1505
t1505.003
t1526
t1528
t1543
t1543.003
t1546
t1546.008
t1546.015
t1548
t1548.003
t1550
t1550.003
t1552
t1552.004
t1553
t1553.004
t1555
t1556
t1557
t1557.001
t1558
t1558.003
t1562
t1562.001
t1562.002
t1562.010
t1564
t1564.004
t1566
t1569
t1569.002
t1570
t1574
t1574.001
t1574.002
t1586
t1587
t1587.001
t1588
t1588.002
t1590
t1590.001
t1590.002
t1620
t1649
windows
macos
opencanary
azure
m365
okta
bitbucket
linux
sigma
unlikely. except due to misconfigurations
t1078
t1110
t1557
cisco
huawei
juniper
sigma
updating a saml provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.
t1078
aws federated account
splunk
user accounts that are rarely active, such as a site reliability engineer (sre) or developer logging into a production server for troubleshooting, may trigger this alert. under some conditions, a newly created user account may briefly trigger this alert while the model is learning.
t1078
ml
elastic
user changing to a new device, location, browser, etc.
t1078
azure
sigma
user has been put in acception group so they can use legacy authentication
t1078
t1078.004
t1110
azure
sigma
user using a disabled account
t1078
windows
sigma
user using a new mail client.
t1078
o365
elastic
user using a vpn may lead to false positives.
t1078
o365
elastic
users actually login but miss-click into the deny button when mfa prompt.
t1078
t1078.004
t1110
t1621
azure
sigma
users working late, or logging in from unusual time zones while traveling, may trigger this rule.
t1078
ml
elastic
valid usage of s3 browser for iam loginprofile listing and/or creation
t1059
t1059.009
t1078
t1078.004
aws
sigma
valid usage of s3 browser for iam user and/or accesskey creation
t1059
t1059.009
t1078
t1078.004
aws
sigma
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
t1059
t1059.009
t1078
t1078.004
aws
sigma
verify the user identity, user agent, and source ip address to ensure they are expected.
t1078
aws
sigma
verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. password reset attempts from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
aws
elastic
vulnerability scanners
t1078
t1078.004
t1110
t1190
t1505
t1505.001
azure
sigma
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
t1078
t1090
t1098
t1110
t1528
t1606
azure
sigma
when an admin begins using the admin console and one of okta's heuristics incorrectly identifies the behavior as being unusual.
t1078
t1078.004
okta
sigma
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1552
azure
sigma
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1528
azure
sigma
LoFP
/
t1078