Skip to content

Hide Navigation Hide TOC

AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374)

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Cluster A Galaxy A Cluster B Galaxy B Level
Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374) Sigma-Rules 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern AWS SAML Provider Deletion Activity (ccd6a6c8-bb4e-4a91-9d2a-07e632819374) Sigma-Rules 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2