Detects activity when a member is added to a security-enabled global group
Detects activity when a member is removed from a security-enabled global group
Detects activity when a security-enabled global group is deleted
Detects logon events that specify new credentials
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Detect remote login by Administrator user (depending on internal pattern).
Detects the default "UserName" used by the DiagTrackEoP POC
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
A login from a public IP can indicate a misconfigured firewall or network boundary.
Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like
Detection of logins performed with WMI
Detects the attack technique pass the hash which is used to move laterally inside the network
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
RDP login with localhost source address may be a tunnelled login
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep