Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Privilege Escalation

Overview

Rule NameidRequired data connectors
1Password - Potential insider privilege escalation via group398a1cf1-f56f-4700-912c-9bf4c8409ebc1Password
1Password - Potential insider privilege escalation via vaulta00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed1Password
Changes to Amazon VPC settings65360bb0-8986-4ade-a89d-af3cf44d28aaAWS
AWSS3
Login to AWS Management Console without MFAd25b1998-a592-4bc5-8a3a-92b39eedb1bcAWS
AWSS3
CloudFormation policy created then used for privilege escalationefdc3cff-f006-426f-97fd-4657862f7b9aAWS
Creation of CRUD DynamoDB policy and then privilege escalation.6f675c17-7a61-440c-abd1-c73ef4d748ecAWS
Creation of new CRUD IAM policy and then privilege escalation.8a607285-d95c-473d-8aab-59920de63af6AWS
Creation of CRUD KMS policy and then privilege escalation8e15998e-1e32-4b6d-abd1-e8482e8f3defAWS
Created CRUD S3 policy and then privilege escalation467cbe7e-e6d4-4f4e-8e44-84dd01932c32AWS
Creation of CRUD Lambda policy and then privilege escalation22115d3c-e87c-485a-9130-33797d619124AWS
Creation of DataPipeline policy and then privilege escalation.6009c632-94e9-4ffb-a11a-b4b99f457f88AWS
Creation of EC2 policy and then privilege escalationa694e977-740c-4578-9f8f-5e39029f1d23AWS
Creation of Glue policy and then privilege escalation56626956-304f-4408-8ea6-7ba5746ce09eAWS
Creation of Lambda policy and then privilege escalation796a45ee-220b-42be-8415-c8c933cf3b6dAWS
Creation of SSM policy and then privilege escalationaaa2c05e-fdd4-4fa0-9072-6cffe3641b34AWS
Full Admin policy created and then attached to Roles, Users or Groups826bb2f8-7894-4785-9a6b-a8a855d8366fAWS
AWSS3
Privilege escalation with AdministratorAccess managed policy139e7116-3884-4246-9978-c8f740770bdfAWS
Privilege escalation with admin managed policy49ce5322-60d7-4b02-ad79-99f650aa5790AWS
Privilege escalation with FullAccess managed policyafb4191b-a142-4065-a0da-f721ee3d006cAWS
Privilege escalation via CloudFormation policy719d5204-10ab-4b1f-aee1-da7326750260AWS
Privilege escalation via CRUD DynamoDB policyb9be2aa6-911d-4131-8658-d2a537ed49f4AWS
Privilege escalation via CRUD IAM policye20d35a3-4fec-4c8b-81b1-fc33b41990b0AWS
Privilege escalation via CRUD KMS policyd7c39e15-997f-49e5-a782-73bf07db8aa5AWS
Privilege escalation via CRUD Lambda policyd0953d50-3dc1-4fa3-80fa-4d3e973a0959AWS
Privilege escalation via CRUD S3 policyfc3061bb-319c-4fe9-abe2-f59899a6d907AWS
Privilege escalation via DataPipeline policy48896551-1c28-4a09-8388-e51e5a927d23AWS
Privilege escalation via EC2 policya2b2a984-c820-4d93-830e-139bffd81fa3AWS
Privilege escalation via Glue policy370f0e5e-da1d-4a14-8ced-d1d7ab66a8d7AWS
Privilege escalation via Lambda policy8e01c41d-bd4c-4bbe-aed5-18592735052dAWS
Privilege escalation via SSM policyc668c09f-5a49-43f9-b249-6b89a31ec8fbAWS
NRT Login to AWS Management Console without MFA0ee2aafb-4500-4e36-bcb1-e90eec2f0b9bAWS
AWSS3
Jira - Global permission added5b0cec45-4a91-4f08-bb1b-392427e8f440JiraAuditAPI
Jira - New site admin userb894593a-2b4c-4573-bc47-78715224a6f5JiraAuditAPI
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Admin SaaS account detected87419138-d75f-450d-aca4-1dc802e32540Authomize
Lateral Movement Risk - Role Chain Length25bef734-4399-4c55-9579-4ebabd9cccf6Authomize
Detect AWS IAM Users077eb06a-c011-47f7-8d92-dfc2b1e1d71bAuthomize
Empty group with entitlementsc4d442a8-8227-4735-ac13-d84704e1b371Authomize
IaaS policy not attached to any identity57bae0c4-50b7-4552-9de9-19dfecddbaceAuthomize
New direct access policy was granted against organizational policyd7ee7bb5-d712-4d44-b201-b13379924934Authomize
Refactor AWS policy based on activities in the last 60 days642de064-c67b-4eb7-98bd-3f8cd51f282cAuthomize
Stale IAAS policy attachment to roleccdf3f87-7890-4549-9d0f-8f43c1d2751dAuthomize
Unused IaaS Policye0ae5f9e-865b-41f5-98bb-c04113888e85Authomize
Suspicious granting of permissions to an accountb2c15736-b9eb-4dae-8b02-3016b6a45a32AzureActivity
BehaviorAnalytics
Front Door Premium WAF - SQLi Detection16da3a2a-af29-48a0-8606-d467c180fe18WAF
AFD WAF - Code Injectionded8168e-c806-4772-af30-10576e0a7529WAF
AFD WAF - Path Traversal Attacka4d99328-e4e6-493d-b0d5-57e6f9ddae77WAF
App GW WAF - Code Injection912a18fc-6165-446b-8740-81ae6c3f75eeWAF
App GW WAF - Path Traversal Attackb6c3a8a6-d22c-4882-9c57-abc01690938bWAF
App Gateway WAF - SQLi Detectionbdb2cd63-99f2-472e-b1b9-acba473b6744WAF
Bitglass - New admin user8c8602e6-315d-400f-9d1e-23bbdee1dbfeBitglass
Box - User logged in as adminb2197d7f-4731-483c-89de-d48606b872daBoxDataConnector
Box - User role changed to owner174c31c9-22ec-42e5-8226-814391c08200BoxDataConnector
Privileged Account Permissions Changed0433c8a3-9aa6-4577-beef-2ea23be41137AzureActiveDirectory
BehaviorAnalytics
User Added to Admin Role2a09f8cb-deb7-4c40-b08b-9137667f1c0bAzureActiveDirectory
CiscoISE - ISE administrator password has been resete63b4d90-d0a8-4609-b187-babfcc7f86d7CiscoISE
SyslogAma
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158CiscoISE
SyslogAma
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398CiscoISE
SyslogAma
CiscoISE - Device PostureStatus changed to non-compliant548a2eda-d3eb-46cc-8d4b-1601551629e4CiscoISE
SyslogAma
Cisco Duo - Admin user created0724cb01-4866-483d-a149-eb400fe1daa8CiscoDuoSecurity
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Attack detection1b0b2065-8bac-5a00-83c4-1b58f69ac212DynatraceAttacks
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Egress Defend - Dangerous Attachment Detecteda0e55dd4-8454-4396-91e6-f28fec3d2cabEgressDefend
Threats detected by Eset2d8a60aa-c15e-442e-9ce3-ee924889d2a6EsetSMC
Component Object Model Hijacking - Vault7 trick1aaff41f-4e18-45b1-bb34-de6eb4943cf2MicrosoftThreatProtection
Access Token Manipulation - Create Process with Token8df80270-b4fa-4a7a-931e-8d17c0b321aeMicrosoftThreatProtection
Hijack Execution Flow - DLL Side-Loading3084b487-fad6-4000-9544-6085b9657290MicrosoftThreatProtection
Oracle suspicious command executione6c5ff42-0f42-4cec-994a-dabb92fe36e1MicrosoftThreatProtection
GitHub Security Vulnerability in Repository5436f471-b03d-41cb-b333-65891f887c43
GSA Enriched Office 365 - User made Owner of multiple teams558f15dd-3171-4b11-bf24-31c0610a20e0AzureActiveDirectory
Google DNS - CVE-2021-40444 exploitation6758c671-e9ee-495d-b6b0-92ffd08a8c3bGCPDNSDataConnector
Google DNS - CVE-2021-34527 (PrintNightmare) external exploite632e73a-06c4-47f6-8bed-b2498aa6e30fGCPDNSDataConnector
Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern1267d53d-f5fd-418b-b8da-34453a5994c2GCPDNSDataConnector
GCP IAM - High privileged role added to service account86112c4b-2535-4178-aa0e-ed9e32e3f054GCPIAMDataConnector
Illusive Incidents Analytic Rule1a7dbcf6-21a2-4255-84b2-c8dbbdca4630Illusive
illusiveAttackManagementSystemAma
CefAma
Detect Print Processors Registry Driver Key Creation/Modification7edde3d4-9859-4a00-b93c-b19ddda55320CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Detect Registry Run Key Creation/Modificationdd041e4e-1ee2-41ec-ba4e-82a71d628260CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
McAfee ePO - Multiple threats on same hostf53e5168-afdb-4fad-b29a-bb9cb71ec460McAfeeePO
SyslogAma
McAfee ePO - Threat was not blocked6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7McAfeeePO
SyslogAma
Modified domain federation trust settings95dc4ae3-e0f2-48bd-b996-cdd22b90f9afAzureActiveDirectory
Admin promotion after Role Management Application Permission Grantf80d951a-eddc-4171-b9d0-d616bb83efdcAzureActiveDirectory
Bulk Changes to Privileged Account Permissions218f60de-c269-457a-b882-9966632b9dc6AzureActiveDirectory
Credential added after admin consented to Application707494a5-8e44-486b-90f8-155d1797a8ebAzureActiveDirectory
NRT Modified domain federation trust settings8540c842-5bbc-4a24-9fb2-a836c0e55a51AzureActiveDirectory
NRT Privileged Role Assigned Outside PIM14f6da04-2f96-44ee-9210-9ccc1be6401eAzureActiveDirectory
NRT User added to Microsoft Entra ID Privileged Groups70fc7201-f28e-4ba7-b9ea-c04b96701f13AzureActiveDirectory
Privileged Role Assigned Outside PIM269435e3-1db8-4423-9dfc-9bf59997da1cAzureActiveDirectory
Rare application consent83ba3057-9ea3-4759-bf6a-933f2e5bc7eeAzureActiveDirectory
Suspicious Service Principal creation activity6852d9da-8015-4b95-8ecf-d9572ee0395dAzureActiveDirectory
User added to Microsoft Entra ID Privileged Groups4d94d4a9-dc96-410a-8dea-4d4d4584188bAzureActiveDirectory
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
User impersonation by Identity Protection alerts11c3d541-5fa5-49df-8218-d1c98584473bAWS
AzureActiveDirectoryIdentityProtection
High-Risk Cross-Cloud User Impersonationf4a28082-2808-4783-9736-33c1ae117475AWS
AzureActiveDirectory
User Session Impersonation(Okta)35846296-4052-4de2-8098-beb6bb5f2203OktaSSO
OktaSSOv2
Ping Federate - Abnormal password resets for user6145efdc-4724-42a6-9756-5bd1ba33982ePingFederate
PingFederateAma
CefAma
Radiflow - Exploit Detected6c028ebd-03ca-41cb-bce7-5727ddb43731RadiflowIsid
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
RecordedFuture Threat Hunting Url All Actors3f6f0d1a-f2f9-4e01-881a-c55a4a71905bThreatIntelligenceUploadIndicatorsAPI
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Critical Risks1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60RidgeBotDataConnector
CefAma
Vulerabilitiesd096643d-6789-4c74-8893-dd3fc8a94069RidgeBotDataConnector
CefAma
Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups0a627f29-f0dd-4924-be92-c3d6dac84367AzureActiveDirectory
Semperis DSP RBAC Changese5edf3f3-de53-45e6-b0d7-1ce1c048df4aSemperisDSP
Semperis DSP Recent sIDHistory changes on AD objects64796da3-6383-4de2-9c97-866c83c459aeSemperisDSP
Semperis DSP Well-known privileged SIDs in sIDHistoryddd75d93-5b8b-4349-babe-c4e15343c5a3SemperisDSP
Semperis DSP Zerologon vulnerability85c1f9e4-6f14-46bf-82d5-dbe495b92aabSemperisDSP
Sentinel One - Admin login from new location382f37b3-b49a-492f-b436-a4717c8c5c3eSentinelOne
Sentinel One - New admin createde73d293d-966c-47ec-b8e0-95255755f12cSentinelOne
Silverfort - Certifried Incident9ae540c9-c926-4100-8f07-1eac22596292SilverfortAma
Silverfort - NoPacBreach Incidentbdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2SilverfortAma
SlackAudit - User role changed to admin or ownerbe6c5fc9-2ac3-43e6-8fb0-cb139e04e43eSlackAuditAPI
SlackAudit - User login after deactivated.e6e99dcb-4dff-48d2-8012-206ca166b36bSlackAuditAPI
Snowflake - User granted admin privileges5ed33eee-0ab6-4bf5-9e9b-6100db83d39aSnowflake
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Theom - Overprovisioned Roles Shadow DBfb7769d0-e622-4479-95b4-f6266a5b41e2Theom
Theom - Shadow DB with atypical accesses02bff937-ca52-4f52-a9cd-b826f8602694Theom
ApexOne - Device access permissions was changedb463b952-67b8-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
CefAma
ApexOne - Possible exploit or execute operatione289d762-6cc2-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
CefAma
vCenter - Root impersonationf1fcb22c-b459-42f2-a7ee-7276b5f1309cvCenter
CustomLogsAma
VMware vCenter - Root login03e8a895-b5ba-49a0-aed3-f9a997d92fbevCenter
CustomLogsAma
VMware ESXi - Root impersonation23a3cf72-9497-408e-8144-87958a60d31aVMwareESXi
SyslogAma
VMware ESXi - Root logindeb448a8-6a9d-4f8c-8a95-679a0a2cd62cVMwareESXi
SyslogAma
VMware ESXi - Shared or stolen root account9c496d6c-42a3-4896-9b6c-00254386928fVMwareESXi
SyslogAma
Potential Fodhelper UAC Bypass56f3f35c-3aca-4437-a1fb-b7a84dc4af00SecurityEvents
WindowsSecurityEvents
Application ID URI Changed9fb2ee72-959f-4c2b-bc38-483affc539e4AzureActiveDirectory
Application Redirect URL Updatea1080fc1-13d1-479b-8340-255f0290d96cAzureActiveDirectory
Changes to Application Logout URL492fbe35-cbac-4a8c-9059-826782e6915aAzureActiveDirectory
Changes to Application Ownershipcc5780ce-3245-4bba-8bc1-e9048c2257ceAzureActiveDirectory
Changes to PIM Settings0ed0fe7c-af29-4990-af7f-bb5ccb231198AzureActiveDirectory
End-user consent stopped due to risk-based consent009b9bae-23dd-43c4-bcb9-11c4ba7c784aAzureActiveDirectory
Service Principal Assigned App Role With Sensitive Accessdd78a122-d377-415a-afe9-f22e08d2112cAzureActiveDirectory
Service Principal Assigned Privileged Role84cccc86-5c11-4b3a-aca6-7c8f738ed0f7AzureActiveDirectory
Suspicious linking of existing user to external User22a320c2-e1e5-4c74-a35b-39fc9cdcf859AzureActiveDirectory
URL Added to Application from Unknown Domain017e095a-94d8-430c-a047-e51a11fb737bAzureActiveDirectory
Application Gateway WAF - SQLi Detection68c0b6bb-6bd9-4ef4-9011-08998c8ef90fWAF
Email access via active sync2f561e20-d97b-4b13-b02d-18b34af6e87cSecurityEvents
MicrosoftThreatProtection
WindowsSecurityEvents
WindowsForwardedEvents
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt1399664f-9434-497c-9cde-42e4d74ae20eAzureSecurityCenter
Office365
AzureActivity
AzureActiveDirectory
Potential Fodhelper UAC Bypass (ASIM Version)ac9e233e-44d4-45eb-b522-6e47445f6582
M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity779731f7-8ba0-4198-8524-5701b7defddcOfficeATP
PaloAltoNetworks
Fortinet
CheckPoint
Zscaler
Suspicious Login from deleted guest accountdefe4855-0d33-4362-9557-009237623976AzureActiveDirectory
Suspicious modification of Global Administrator user properties48602a24-67cf-4362-b258-3f4249e55defAzureActiveDirectory
BehaviorAnalytics
Detect PIM Alert Disabling activity1f3b4dfd-21ff-4ed3-8e27-afc219e05c50AzureActiveDirectory
COM Event System Loading New DLL02f6c2e5-219d-4426-a0bf-ad67abc63d53SecurityEvents
Group created then added to built in domain local or global groupa7564d76-ec6b-4519-a66b-fcc80c42332bSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Possible Resource-Based Constrained Delegation Abuse2937bc6b-7cda-4fba-b452-ea43ba8e835fSecurityEvents
Solorigate Named Pipe11b4c19d-2a79-4da3-af38-b067e1273deeSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Account added and removed from privileged groups7efc75ce-e2a4-400f-a8b1-283d3b0f2c60SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account added to built in domain local or global groupa35f2c18-1b97-458f-ad26-e033af18eb99SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account created and deleted within 10 mins4b93c5af-d20b-4236-b696-a28b8c51407fSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account enabled and disabled within 10 mins3d023f64-8225-41a2-9570-2bd7c2c4535eSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New user created and added to the built-in administrators groupaa1eff90-29d4-49dc-a3ea-b65199f516dbSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Service Principal Name (SPN) Assigned to User Account875d0eb1-883a-4191-bd0e-dbfdeb95a464SecurityEvents
User joining Zoom meeting from suspicious timezone58fc0170-0877-4ea8-a9ff-d805e361cfae