AWS SAML Provider Deletion Activity

Rule Info

Name
AWS SAML Provider Deletion Activity
Author
Ivan Saakov
Description
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
Reference
https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
Date
2024-12-19 00:00:00
Modified
None
Id
ccd6a6c8-bb4e-4a91-9d2a-07e632819374
Tags
attack.t1078.004 attack.privilege-escalation attack.t1531
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ccd6a6c8-bb4e-4a91-9d2a-07e632819374

Rule History

Author
Title
Date
Commit
Ivan S
Merge PR #5015 from @saakovv - Add `AWS SAML Provider Deletion Activity`
2024-12-19
a8d8dcff8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022