Privilege Escalation
| Rule Name | id | Required data connectors |
|---|---|---|
| Changes to Amazon VPC settings | 65360bb0-8986-4ade-a89d-af3cf44d28aa | AWS AWSS3 |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 |
| CloudFormation policy created then used for privilege escalation | efdc3cff-f006-426f-97fd-4657862f7b9a | AWS |
| Creation of CRUD DynamoDB policy and then privilege escalation. | 6f675c17-7a61-440c-abd1-c73ef4d748ec | AWS |
| Creation of new CRUD IAM policy and then privilege escalation. | 8a607285-d95c-473d-8aab-59920de63af6 | AWS |
| Creation of CRUD KMS policy and then privilege escalation | 8e15998e-1e32-4b6d-abd1-e8482e8f3def | AWS |
| Created CRUD S3 policy and then privilege escalation | 467cbe7e-e6d4-4f4e-8e44-84dd01932c32 | AWS |
| Creation of CRUD Lambda policy and then privilege escalation | 22115d3c-e87c-485a-9130-33797d619124 | AWS |
| Creation of DataPipeline policy and then privilege escalation. | 6009c632-94e9-4ffb-a11a-b4b99f457f88 | AWS |
| Creation of EC2 policy and then privilege escalation | a694e977-740c-4578-9f8f-5e39029f1d23 | AWS |
| Creation of Glue policy and then privilege escalation | 56626956-304f-4408-8ea6-7ba5746ce09e | AWS |
| Creation of Lambda policy and then privilege escalation | 796a45ee-220b-42be-8415-c8c933cf3b6d | AWS |
| Creation of SSM policy and then privilege escalation | aaa2c05e-fdd4-4fa0-9072-6cffe3641b34 | AWS |
| Full Admin policy created and then attached to Roles, Users or Groups | 826bb2f8-7894-4785-9a6b-a8a855d8366f | AWS AWSS3 |
| Privilege escalation with AdministratorAccess managed policy | 139e7116-3884-4246-9978-c8f740770bdf | AWS |
| Privilege escalation with admin managed policy | 49ce5322-60d7-4b02-ad79-99f650aa5790 | AWS |
| Privilege escalation with FullAccess managed policy | afb4191b-a142-4065-a0da-f721ee3d006c | AWS |
| Privilege escalation via CloudFormation policy | 719d5204-10ab-4b1f-aee1-da7326750260 | AWS |
| Privilege escalation via CRUD DynamoDB policy | b9be2aa6-911d-4131-8658-d2a537ed49f4 | AWS |
| Privilege escalation via CRUD IAM policy | e20d35a3-4fec-4c8b-81b1-fc33b41990b0 | AWS |
| Privilege escalation via CRUD KMS policy | d7c39e15-997f-49e5-a782-73bf07db8aa5 | AWS |
| Privilege escalation via CRUD Lambda policy | d0953d50-3dc1-4fa3-80fa-4d3e973a0959 | AWS |
| Privilege escalation via CRUD S3 policy | fc3061bb-319c-4fe9-abe2-f59899a6d907 | AWS |
| Privilege escalation via DataPipeline policy | 48896551-1c28-4a09-8388-e51e5a927d23 | AWS |
| Privilege escalation via EC2 policy | a2b2a984-c820-4d93-830e-139bffd81fa3 | AWS |
| Privilege escalation via Glue policy | 370f0e5e-da1d-4a14-8ced-d1d7ab66a8d7 | AWS |
| Privilege escalation via Lambda policy | 8e01c41d-bd4c-4bbe-aed5-18592735052d | AWS |
| Privilege escalation via SSM policy | c668c09f-5a49-43f9-b249-6b89a31ec8fb | AWS |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 |
| Jira - Global permission added | 5b0cec45-4a91-4f08-bb1b-392427e8f440 | JiraAuditAPI |
| Jira - New site admin user | b894593a-2b4c-4573-bc47-78715224a6f5 | JiraAuditAPI |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Admin promotion after Role Management Application Permission Grant | f80d951a-eddc-4171-b9d0-d616bb83efdc | AzureActiveDirectory |
| Bulk Changes to Privileged Account Permissions | 218f60de-c269-457a-b882-9966632b9dc6 | AzureActiveDirectory |
| NRT Privileged Role Assigned Outside PIM | 14f6da04-2f96-44ee-9210-9ccc1be6401e | AzureActiveDirectory |
| NRT User added to Azure Active Directory Privileged Groups | 70fc7201-f28e-4ba7-b9ea-c04b96701f13 | AzureActiveDirectory |
| Privileged Role Assigned Outside PIM | 269435e3-1db8-4423-9dfc-9bf59997da1c | AzureActiveDirectory |
| Rare application consent | 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | AzureActiveDirectory |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory |
| User added to Azure Active Directory Privileged Groups | 4d94d4a9-dc96-410a-8dea-4d4d4584188b | AzureActiveDirectory |
| Suspicious granting of permissions to an account | b2c15736-b9eb-4dae-8b02-3016b6a45a32 | AzureActivity BehaviorAnalytics |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| Bitglass - New admin user | 8c8602e6-315d-400f-9d1e-23bbdee1dbfe | Bitglass |
| Box - User logged in as admin | b2197d7f-4731-483c-89de-d48606b872da | BoxDataConnector |
| Box - User role changed to owner | 174c31c9-22ec-42e5-8226-814391c08200 | BoxDataConnector |
| Privileged Account Permissions Changed | 0433c8a3-9aa6-4577-beef-2ea23be41137 | AzureActiveDirectory BehaviorAnalytics |
| User Added to Admin Role | 2a09f8cb-deb7-4c40-b08b-9137667f1c0b | AzureActiveDirectory |
| CiscoISE - ISE administrator password has been reset | e63b4d90-d0a8-4609-b187-babfcc7f86d7 | CiscoISE |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE |
| Cisco Duo - Admin user created | 0724cb01-4866-483d-a149-eb400fe1daa8 | CiscoDuoSecurity |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Component Object Model Hijacking - Vault7 trick | 1aaff41f-4e18-45b1-bb34-de6eb4943cf2 | MicrosoftThreatProtection |
| Access Token Manipulation - Create Process with Token | 8df80270-b4fa-4a7a-931e-8d17c0b321ae | MicrosoftThreatProtection |
| Hijack Execution Flow - DLL Side-Loading | 3084b487-fad6-4000-9544-6085b9657290 | MicrosoftThreatProtection |
| Oracle suspicious command execution | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 | MicrosoftThreatProtection |
| Google DNS - CVE-2021-40444 exploitation | 6758c671-e9ee-495d-b6b0-92ffd08a8c3b | GCPDNSDataConnector |
| Google DNS - CVE-2021-34527 (PrintNightmare) external exploit | e632e73a-06c4-47f6-8bed-b2498aa6e30f | GCPDNSDataConnector |
| Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern | 1267d53d-f5fd-418b-b8da-34453a5994c2 | GCPDNSDataConnector |
| GCP IAM - High privileged role added to service account | 86112c4b-2535-4178-aa0e-ed9e32e3f054 | GCPIAMDataConnector |
| GWorkspace - Unexpected OS update | c02b0c8e-5da6-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | McAfeeePO |
| McAfee ePO - Threat was not blocked | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 | McAfeeePO |
| Ping Federate - Abnormal password resets for user | 6145efdc-4724-42a6-9756-5bd1ba33982e | PingFederate PingFederateAma |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Threat Essentials - NRT User added to Azure Active Directory Privileged Groups | 0a627f29-f0dd-4924-be92-c3d6dac84367 | AzureActiveDirectory |
| Semperis DSP Recent sIDHistory changes on AD objects | 64796da3-6383-4de2-9c97-866c83c459ae | SemperisDSP |
| Semperis DSP Well-known privileged SIDs in sIDHistory | ddd75d93-5b8b-4349-babe-c4e15343c5a3 | SemperisDSP |
| Semperis DSP Zerologon vulnerability | 85c1f9e4-6f14-46bf-82d5-dbe495b92aab | SemperisDSP |
| Sentinel One - Admin login from new location | 382f37b3-b49a-492f-b436-a4717c8c5c3e | SentinelOne |
| Sentinel One - New admin created | e73d293d-966c-47ec-b8e0-95255755f12c | SentinelOne |
| SlackAudit - User role changed to admin or owner | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e | SlackAuditAPI |
| SlackAudit - User login after deactivated. | e6e99dcb-4dff-48d2-8012-206ca166b36b | SlackAuditAPI |
| Snowflake - User granted admin privileges | 5ed33eee-0ab6-4bf5-9e9b-6100db83d39a | Snowflake |
| ApexOne - Device access permissions was changed | b463b952-67b8-11ec-90d6-0242ac120003 | TrendMicroApexOne TrendMicroApexOneAma |
| ApexOne - Possible exploit or execute operation | e289d762-6cc2-11ec-90d6-0242ac120003 | TrendMicroApexOne TrendMicroApexOneAma |
| vCenter - Root impersonation | f1fcb22c-b459-42f2-a7ee-7276b5f1309c | vCenter |
| VMware vCenter - Root login | 03e8a895-b5ba-49a0-aed3-f9a997d92fbe | vCenter |
| VMware ESXi - Root impersonation | 23a3cf72-9497-408e-8144-87958a60d31a | VMwareESXi |
| VMware ESXi - Root login | deb448a8-6a9d-4f8c-8a95-679a0a2cd62c | VMwareESXi |
| VMware ESXi - Shared or stolen root account | 9c496d6c-42a3-4896-9b6c-00254386928f | VMwareESXi |
| Potential Fodhelper UAC Bypass | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00 | SecurityEvents WindowsSecurityEvents |
| Application ID URI Changed | 9fb2ee72-959f-4c2b-bc38-483affc539e4 | AzureActiveDirectory |
| Application Redirect URL Update | a1080fc1-13d1-479b-8340-255f0290d96c | AzureActiveDirectory |
| Changes to Application Logout URL | 492fbe35-cbac-4a8c-9059-826782e6915a | AzureActiveDirectory |
| Changes to Application Ownership | cc5780ce-3245-4bba-8bc1-e9048c2257ce | AzureActiveDirectory |
| Changes to PIM Settings | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 | AzureActiveDirectory |
| End-user consent stopped due to risk-based consent | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a | AzureActiveDirectory |
| Service Principal Assigned App Role With Sensitive Access | dd78a122-d377-415a-afe9-f22e08d2112c | AzureActiveDirectory |
| Service Principal Assigned Privileged Role | 84cccc86-5c11-4b3a-aca6-7c8f738ed0f7 | AzureActiveDirectory |
| Suspicious linking of existing user to external User | 22a320c2-e1e5-4c74-a35b-39fc9cdcf859 | AzureActiveDirectory |
| URL Added to Application from Unknown Domain | 017e095a-94d8-430c-a047-e51a11fb737b | AzureActiveDirectory |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Email access via active sync | 2f561e20-d97b-4b13-b02d-18b34af6e87c | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt | 1399664f-9434-497c-9cde-42e4d74ae20e | AzureSecurityCenter Office365 AzureActivity AzureActiveDirectory |
| Potential Fodhelper UAC Bypass (ASIM Version) | ac9e233e-44d4-45eb-b522-6e47445f6582 | |
| M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity | 779731f7-8ba0-4198-8524-5701b7defddc | OfficeATP PaloAltoNetworks Fortinet CheckPoint Zscaler |
| Suspicious Login from deleted guest account | defe4855-0d33-4362-9557-009237623976 | AzureActiveDirectory |
| Suspicious modification of Global Administrator user properties | 48602a24-67cf-4362-b258-3f4249e55def | AzureActiveDirectory BehaviorAnalytics |
| User impersonation by Identity Protection alerts | 11c3d541-5fa5-49df-8218-d1c98584473b | AWS AzureActiveDirectoryIdentityProtection |
| High-Risk Cross-Cloud User Impersonation | f4a28082-2808-4783-9736-33c1ae117475 | AWS AzureActiveDirectory |
| Detect PIM Alert Disabling activity | 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50 | AzureActiveDirectory |
| COM Event System Loading New DLL | 02f6c2e5-219d-4426-a0bf-ad67abc63d53 | SecurityEvents |
| Group created then added to built in domain local or global group | a7564d76-ec6b-4519-a66b-fcc80c42332b | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Possible Resource-Based Constrained Delegation Abuse | 2937bc6b-7cda-4fba-b452-ea43ba8e835f | SecurityEvents |
| Solorigate Named Pipe | 11b4c19d-2a79-4da3-af38-b067e1273dee | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Account added and removed from privileged groups | 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account added to built in domain local or global group | a35f2c18-1b97-458f-ad26-e033af18eb99 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account created and deleted within 10 mins | 4b93c5af-d20b-4236-b696-a28b8c51407f | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account enabled and disabled within 10 mins | 3d023f64-8225-41a2-9570-2bd7c2c4535e | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New user created and added to the built-in administrators group | aa1eff90-29d4-49dc-a3ea-b65199f516db | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Service Principal Name (SPN) Assigned to User Account | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 | SecurityEvents |
| User joining Zoom meeting from suspicious timezone | 58fc0170-0877-4ea8-a9ff-d805e361cfae |