Skip to content

Hide Navigation Hide TOC

AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374)

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Cluster A Galaxy A Cluster B Galaxy B Level
AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374) Sigma-Rules Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern 1
AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374) Sigma-Rules Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2