Privilege Escalation
| Rule Name | id | Required data connectors |
|---|---|---|
| 1Password - Potential insider privilege escalation via group | 398a1cf1-f56f-4700-912c-9bf4c8409ebc | 1Password |
| 1Password - Potential insider privilege escalation via vault | a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed | 1Password |
| Changes to Amazon VPC settings | 65360bb0-8986-4ade-a89d-af3cf44d28aa | AWS AWSS3 |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 |
| CloudFormation policy created then used for privilege escalation | efdc3cff-f006-426f-97fd-4657862f7b9a | AWS |
| Creation of CRUD DynamoDB policy and then privilege escalation. | 6f675c17-7a61-440c-abd1-c73ef4d748ec | AWS |
| Creation of new CRUD IAM policy and then privilege escalation. | 8a607285-d95c-473d-8aab-59920de63af6 | AWS |
| Creation of CRUD KMS policy and then privilege escalation | 8e15998e-1e32-4b6d-abd1-e8482e8f3def | AWS |
| Created CRUD S3 policy and then privilege escalation | 467cbe7e-e6d4-4f4e-8e44-84dd01932c32 | AWS |
| Creation of CRUD Lambda policy and then privilege escalation | 22115d3c-e87c-485a-9130-33797d619124 | AWS |
| Creation of DataPipeline policy and then privilege escalation. | 6009c632-94e9-4ffb-a11a-b4b99f457f88 | AWS |
| Creation of EC2 policy and then privilege escalation | a694e977-740c-4578-9f8f-5e39029f1d23 | AWS |
| Creation of Glue policy and then privilege escalation | 56626956-304f-4408-8ea6-7ba5746ce09e | AWS |
| Creation of Lambda policy and then privilege escalation | 796a45ee-220b-42be-8415-c8c933cf3b6d | AWS |
| Creation of SSM policy and then privilege escalation | aaa2c05e-fdd4-4fa0-9072-6cffe3641b34 | AWS |
| Full Admin policy created and then attached to Roles, Users or Groups | 826bb2f8-7894-4785-9a6b-a8a855d8366f | AWS AWSS3 |
| Privilege escalation with AdministratorAccess managed policy | 139e7116-3884-4246-9978-c8f740770bdf | AWS |
| Privilege escalation with admin managed policy | 49ce5322-60d7-4b02-ad79-99f650aa5790 | AWS |
| Privilege escalation with FullAccess managed policy | afb4191b-a142-4065-a0da-f721ee3d006c | AWS |
| Privilege escalation via CloudFormation policy | 719d5204-10ab-4b1f-aee1-da7326750260 | AWS |
| Privilege escalation via CRUD DynamoDB policy | b9be2aa6-911d-4131-8658-d2a537ed49f4 | AWS |
| Privilege escalation via CRUD IAM policy | e20d35a3-4fec-4c8b-81b1-fc33b41990b0 | AWS |
| Privilege escalation via CRUD KMS policy | d7c39e15-997f-49e5-a782-73bf07db8aa5 | AWS |
| Privilege escalation via CRUD Lambda policy | d0953d50-3dc1-4fa3-80fa-4d3e973a0959 | AWS |
| Privilege escalation via CRUD S3 policy | fc3061bb-319c-4fe9-abe2-f59899a6d907 | AWS |
| Privilege escalation via DataPipeline policy | 48896551-1c28-4a09-8388-e51e5a927d23 | AWS |
| Privilege escalation via EC2 policy | a2b2a984-c820-4d93-830e-139bffd81fa3 | AWS |
| Privilege escalation via Glue policy | 370f0e5e-da1d-4a14-8ced-d1d7ab66a8d7 | AWS |
| Privilege escalation via Lambda policy | 8e01c41d-bd4c-4bbe-aed5-18592735052d | AWS |
| Privilege escalation via SSM policy | c668c09f-5a49-43f9-b249-6b89a31ec8fb | AWS |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 |
| Jira - Global permission added | 5b0cec45-4a91-4f08-bb1b-392427e8f440 | JiraAuditAPI |
| Jira - New site admin user | b894593a-2b4c-4573-bc47-78715224a6f5 | JiraAuditAPI |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Admin SaaS account detected | 87419138-d75f-450d-aca4-1dc802e32540 | Authomize |
| Lateral Movement Risk - Role Chain Length | 25bef734-4399-4c55-9579-4ebabd9cccf6 | Authomize |
| Detect AWS IAM Users | 077eb06a-c011-47f7-8d92-dfc2b1e1d71b | Authomize |
| Empty group with entitlements | c4d442a8-8227-4735-ac13-d84704e1b371 | Authomize |
| IaaS policy not attached to any identity | 57bae0c4-50b7-4552-9de9-19dfecddbace | Authomize |
| New direct access policy was granted against organizational policy | d7ee7bb5-d712-4d44-b201-b13379924934 | Authomize |
| Refactor AWS policy based on activities in the last 60 days | 642de064-c67b-4eb7-98bd-3f8cd51f282c | Authomize |
| Stale IAAS policy attachment to role | ccdf3f87-7890-4549-9d0f-8f43c1d2751d | Authomize |
| Unused IaaS Policy | e0ae5f9e-865b-41f5-98bb-c04113888e85 | Authomize |
| Suspicious granting of permissions to an account | b2c15736-b9eb-4dae-8b02-3016b6a45a32 | AzureActivity BehaviorAnalytics |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - SQLi Detection | bdb2cd63-99f2-472e-b1b9-acba473b6744 | WAF |
| Bitglass - New admin user | 8c8602e6-315d-400f-9d1e-23bbdee1dbfe | Bitglass |
| Box - User logged in as admin | b2197d7f-4731-483c-89de-d48606b872da | BoxDataConnector |
| Box - User role changed to owner | 174c31c9-22ec-42e5-8226-814391c08200 | BoxDataConnector |
| Privileged Account Permissions Changed | 0433c8a3-9aa6-4577-beef-2ea23be41137 | AzureActiveDirectory BehaviorAnalytics |
| User Added to Admin Role | 2a09f8cb-deb7-4c40-b08b-9137667f1c0b | AzureActiveDirectory |
| CiscoISE - ISE administrator password has been reset | e63b4d90-d0a8-4609-b187-babfcc7f86d7 | CiscoISE SyslogAma |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE SyslogAma |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE SyslogAma |
| CiscoISE - Device PostureStatus changed to non-compliant | 548a2eda-d3eb-46cc-8d4b-1601551629e4 | CiscoISE SyslogAma |
| Cisco Duo - Admin user created | 0724cb01-4866-483d-a149-eb400fe1daa8 | CiscoDuoSecurity |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Component Object Model Hijacking - Vault7 trick | 1aaff41f-4e18-45b1-bb34-de6eb4943cf2 | MicrosoftThreatProtection |
| Access Token Manipulation - Create Process with Token | 8df80270-b4fa-4a7a-931e-8d17c0b321ae | MicrosoftThreatProtection |
| Hijack Execution Flow - DLL Side-Loading | 3084b487-fad6-4000-9544-6085b9657290 | MicrosoftThreatProtection |
| Oracle suspicious command execution | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 | MicrosoftThreatProtection |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GSA Enriched Office 365 - User made Owner of multiple teams | 558f15dd-3171-4b11-bf24-31c0610a20e0 | AzureActiveDirectory |
| Google DNS - CVE-2021-40444 exploitation | 6758c671-e9ee-495d-b6b0-92ffd08a8c3b | GCPDNSDataConnector |
| Google DNS - CVE-2021-34527 (PrintNightmare) external exploit | e632e73a-06c4-47f6-8bed-b2498aa6e30f | GCPDNSDataConnector |
| Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern | 1267d53d-f5fd-418b-b8da-34453a5994c2 | GCPDNSDataConnector |
| GCP IAM - High privileged role added to service account | 86112c4b-2535-4178-aa0e-ed9e32e3f054 | GCPIAMDataConnector |
| Illusive Incidents Analytic Rule | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 | Illusive illusiveAttackManagementSystemAma CefAma |
| Detect Print Processors Registry Driver Key Creation/Modification | 7edde3d4-9859-4a00-b93c-b19ddda55320 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Detect Registry Run Key Creation/Modification | dd041e4e-1ee2-41ec-ba4e-82a71d628260 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | McAfeeePO SyslogAma |
| McAfee ePO - Threat was not blocked | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 | McAfeeePO SyslogAma |
| Modified domain federation trust settings | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af | AzureActiveDirectory |
| Admin promotion after Role Management Application Permission Grant | f80d951a-eddc-4171-b9d0-d616bb83efdc | AzureActiveDirectory |
| Bulk Changes to Privileged Account Permissions | 218f60de-c269-457a-b882-9966632b9dc6 | AzureActiveDirectory |
| Credential added after admin consented to Application | 707494a5-8e44-486b-90f8-155d1797a8eb | AzureActiveDirectory |
| NRT Modified domain federation trust settings | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 | AzureActiveDirectory |
| NRT Privileged Role Assigned Outside PIM | 14f6da04-2f96-44ee-9210-9ccc1be6401e | AzureActiveDirectory |
| NRT User added to Microsoft Entra ID Privileged Groups | 70fc7201-f28e-4ba7-b9ea-c04b96701f13 | AzureActiveDirectory |
| Privileged Role Assigned Outside PIM | 269435e3-1db8-4423-9dfc-9bf59997da1c | AzureActiveDirectory |
| Rare application consent | 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | AzureActiveDirectory |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory |
| User added to Microsoft Entra ID Privileged Groups | 4d94d4a9-dc96-410a-8dea-4d4d4584188b | AzureActiveDirectory |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| User impersonation by Identity Protection alerts | 11c3d541-5fa5-49df-8218-d1c98584473b | AWS AzureActiveDirectoryIdentityProtection |
| High-Risk Cross-Cloud User Impersonation | f4a28082-2808-4783-9736-33c1ae117475 | AWS AzureActiveDirectory |
| User Session Impersonation(Okta) | 35846296-4052-4de2-8098-beb6bb5f2203 | OktaSSO OktaSSOv2 |
| Ping Federate - Abnormal password resets for user | 6145efdc-4724-42a6-9756-5bd1ba33982e | PingFederate PingFederateAma CefAma |
| Radiflow - Exploit Detected | 6c028ebd-03ca-41cb-bce7-5727ddb43731 | RadiflowIsid |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| RecordedFuture Threat Hunting Url All Actors | 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b | ThreatIntelligenceUploadIndicatorsAPI |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Critical Risks | 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60 | RidgeBotDataConnector CefAma |
| Vulerabilities | d096643d-6789-4c74-8893-dd3fc8a94069 | RidgeBotDataConnector CefAma |
| Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups | 0a627f29-f0dd-4924-be92-c3d6dac84367 | AzureActiveDirectory |
| Semperis DSP RBAC Changes | e5edf3f3-de53-45e6-b0d7-1ce1c048df4a | SemperisDSP |
| Semperis DSP Recent sIDHistory changes on AD objects | 64796da3-6383-4de2-9c97-866c83c459ae | SemperisDSP |
| Semperis DSP Well-known privileged SIDs in sIDHistory | ddd75d93-5b8b-4349-babe-c4e15343c5a3 | SemperisDSP |
| Semperis DSP Zerologon vulnerability | 85c1f9e4-6f14-46bf-82d5-dbe495b92aab | SemperisDSP |
| Sentinel One - Admin login from new location | 382f37b3-b49a-492f-b436-a4717c8c5c3e | SentinelOne |
| Sentinel One - New admin created | e73d293d-966c-47ec-b8e0-95255755f12c | SentinelOne |
| Silverfort - Certifried Incident | 9ae540c9-c926-4100-8f07-1eac22596292 | SilverfortAma |
| Silverfort - NoPacBreach Incident | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2 | SilverfortAma |
| SlackAudit - User role changed to admin or owner | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e | SlackAuditAPI |
| SlackAudit - User login after deactivated. | e6e99dcb-4dff-48d2-8012-206ca166b36b | SlackAuditAPI |
| Snowflake - User granted admin privileges | 5ed33eee-0ab6-4bf5-9e9b-6100db83d39a | Snowflake |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Theom - Overprovisioned Roles Shadow DB | fb7769d0-e622-4479-95b4-f6266a5b41e2 | Theom |
| Theom - Shadow DB with atypical accesses | 02bff937-ca52-4f52-a9cd-b826f8602694 | Theom |
| ApexOne - Device access permissions was changed | b463b952-67b8-11ec-90d6-0242ac120003 | CefAma |
| ApexOne - Possible exploit or execute operation | e289d762-6cc2-11ec-90d6-0242ac120003 | CefAma |
| vCenter - Root impersonation | f1fcb22c-b459-42f2-a7ee-7276b5f1309c | vCenter CustomLogsAma |
| VMware vCenter - Root login | 03e8a895-b5ba-49a0-aed3-f9a997d92fbe | vCenter CustomLogsAma |
| VMware ESXi - Root impersonation | 23a3cf72-9497-408e-8144-87958a60d31a | VMwareESXi SyslogAma |
| VMware ESXi - Root login | deb448a8-6a9d-4f8c-8a95-679a0a2cd62c | VMwareESXi SyslogAma |
| VMware ESXi - Shared or stolen root account | 9c496d6c-42a3-4896-9b6c-00254386928f | VMwareESXi SyslogAma |
| Potential Fodhelper UAC Bypass | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00 | SecurityEvents WindowsSecurityEvents |
| Application ID URI Changed | 9fb2ee72-959f-4c2b-bc38-483affc539e4 | AzureActiveDirectory |
| Application Redirect URL Update | a1080fc1-13d1-479b-8340-255f0290d96c | AzureActiveDirectory |
| Changes to Application Logout URL | 492fbe35-cbac-4a8c-9059-826782e6915a | AzureActiveDirectory |
| Changes to Application Ownership | cc5780ce-3245-4bba-8bc1-e9048c2257ce | AzureActiveDirectory |
| Changes to PIM Settings | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 | AzureActiveDirectory |
| End-user consent stopped due to risk-based consent | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a | AzureActiveDirectory |
| Service Principal Assigned App Role With Sensitive Access | dd78a122-d377-415a-afe9-f22e08d2112c | AzureActiveDirectory |
| Service Principal Assigned Privileged Role | 84cccc86-5c11-4b3a-aca6-7c8f738ed0f7 | AzureActiveDirectory |
| Suspicious linking of existing user to external User | 22a320c2-e1e5-4c74-a35b-39fc9cdcf859 | AzureActiveDirectory |
| URL Added to Application from Unknown Domain | 017e095a-94d8-430c-a047-e51a11fb737b | AzureActiveDirectory |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Email access via active sync | 2f561e20-d97b-4b13-b02d-18b34af6e87c | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt | 1399664f-9434-497c-9cde-42e4d74ae20e | AzureSecurityCenter Office365 AzureActivity AzureActiveDirectory |
| Potential Fodhelper UAC Bypass (ASIM Version) | ac9e233e-44d4-45eb-b522-6e47445f6582 | |
| M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity | 779731f7-8ba0-4198-8524-5701b7defddc | OfficeATP PaloAltoNetworks Fortinet CheckPoint Zscaler |
| Suspicious Login from deleted guest account | defe4855-0d33-4362-9557-009237623976 | AzureActiveDirectory |
| Suspicious modification of Global Administrator user properties | 48602a24-67cf-4362-b258-3f4249e55def | AzureActiveDirectory BehaviorAnalytics |
| Detect PIM Alert Disabling activity | 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50 | AzureActiveDirectory |
| COM Event System Loading New DLL | 02f6c2e5-219d-4426-a0bf-ad67abc63d53 | SecurityEvents |
| Group created then added to built in domain local or global group | a7564d76-ec6b-4519-a66b-fcc80c42332b | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Possible Resource-Based Constrained Delegation Abuse | 2937bc6b-7cda-4fba-b452-ea43ba8e835f | SecurityEvents |
| Solorigate Named Pipe | 11b4c19d-2a79-4da3-af38-b067e1273dee | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Account added and removed from privileged groups | 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account added to built in domain local or global group | a35f2c18-1b97-458f-ad26-e033af18eb99 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account created and deleted within 10 mins | 4b93c5af-d20b-4236-b696-a28b8c51407f | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account enabled and disabled within 10 mins | 3d023f64-8225-41a2-9570-2bd7c2c4535e | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New user created and added to the built-in administrators group | aa1eff90-29d4-49dc-a3ea-b65199f516db | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Service Principal Name (SPN) Assigned to User Account | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 | SecurityEvents |
| User joining Zoom meeting from suspicious timezone | 58fc0170-0877-4ea8-a9ff-d805e361cfae |