LoFP
/
t1078.004
t1078.004
Title
Tags
a legitimate new admin account being created
t1078
t1078.004
azure
sigma
a non malicious user is unaware of the proper process
t1078
t1078.004
azure
sigma
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
account disabled or blocked in error
t1078
t1078.004
azure
sigma
actual admin using pim.
t1078
t1078.004
azure
sigma
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
t1078
t1078.004
t1586
t1586.003
azure active directory
splunk
administrator adding a legitimate temporary access pass
t1078
t1078.004
azure
sigma
administrators may legitimately create azure runbook webhooks. filter as needed.
t1078
t1078.004
azure tenant
splunk
allowed self-hosted runners changes in the environment.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
t1078
t1078.004
t1586
t1586.003
t1621
okta tenant
splunk
although not recommended, certain users may be required without multi-factor authentication. filter as needed
t1078
t1078.004
t1586
t1586.003
azure active directory
google cloud platform tenant
splunk
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
automation account has been blocked or disabled
t1078
t1078.004
azure
sigma
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
t1078
t1078.004
aws
sigma
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
t1078.004
T1530
s3 bucket
aws instance
splunk
false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.
t1078
t1078.004
infrastructure
splunk
if this was approved by system administrator or confirmed user action.
t1078
t1078.004
azure
sigma
if this was approved by system administrator.
t1078
t1078.004
t1110
t1556
t1556.006
azure
sigma
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
t1078
t1078.004
t1586
t1586.003
aws account
splunk
it is possible that there are legitimate user roles making new or infrequently used api calls in your infrastructure, causing the search to trigger.
t1078.004
aws instance
splunk
it's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. if the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.
t1078.004
aws instance
splunk
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
t1078
t1078.004
aws instance
splunk
it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.
t1078
t1078.004
cloud compute instance
splunk
it's possible that a user will start to create ec2 instances when they haven't before for any number of reasons. verify with the user that is launching instances that this is the intended behavior.
t1078.004
aws instance
splunk
known legacy accounts
t1078
t1078.004
t1110
azure
sigma
legit administrative pim setting configuration changes
t1078
t1078.004
azure
sigma
legitimate user wrong password attempts.
t1021
t1021.004
t1078
t1078.004
t1110
bitbucket
sigma
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
t1078
t1078.004
t1586
t1586.003
t1621
aws account
azure active directory
google cloud platform tenant
splunk
legtimate administrator actions of adding members from a role
t1078
t1078.004
azure
sigma
many service accounts configured with your aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify whether this search alerted on a human user.
t1078.004
aws instance
splunk
many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
t1078
t1078.004
cloud instance
splunk
many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
t1078
t1078.004
cloud instance
aws instance
splunk
misconfigured systems
t1078
t1078.004
t1110
azure
sigma
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
t1078
t1078.004
t1586
t1586.003
t1621
google cloud platform tenant
o365 tenant
azure active directory
aws account
splunk
none.
t1078
t1078.004
t1207
t1498
aws instance
endpoint
splunk
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
t1078
t1078.004
o365 tenant
splunk
service account misconfigured
t1078
t1078.004
t1110
azure
sigma
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
t1078.004
azure active directory
splunk
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
t1078
t1078.004
github
sigma
user has been put in acception group so they can use legacy authentication
t1078
t1078.004
t1110
azure
sigma
users actually login but miss-click into the deny button when mfa prompt.
t1078
t1078.004
t1110
t1621
azure
sigma
valid usage of s3 browser for iam loginprofile listing and/or creation
t1059
t1059.009
t1078
t1078.004
aws
sigma
valid usage of s3 browser for iam user and/or accesskey creation
t1059
t1059.009
t1078
t1078.004
aws
sigma
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
t1059
t1059.009
t1078
t1078.004
aws
sigma
vulnerability scanners
t1078
t1078.004
t1110
t1190
t1505
t1505.001
azure
sigma
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.
t1078.004
T1535
t1552
t1586
t1586.003
aws instance
splunk
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1552
azure
sigma
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1528
azure
sigma
whenever an admin starts using new features of the admin console.
t1078
t1078.004
okta
sigma