Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects when a user disables a critical security feature for an organization.

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects when a new member is added or invited to a github organization.

Read More

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Read More

Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

Read More

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Read More

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Read More

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Read More

Detects when a file with a suspicious extension is created in the startup folder

Read More

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Read More

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Read More

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Read More

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Read More

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects the creation of scheduled tasks in user session

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Read More

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

Read More

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Read More

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Read More

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Read More

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Read More

Detects certain command line parameters often used during reconnaissance activity via web shells

Read More

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Read More

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

Read More

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Read More

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Read More

Detects suspicious sub processes of web server processes

Read More

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Read More

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

Read More

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Read More

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

Read More

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

Read More

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Read More

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Read More

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects PowerShell creating a binary executable or a script file.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

Read More

Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location

Read More

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Read More

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc

Read More

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Read More

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Read More

Detects creation of local users via the net.exe command with the name of "DarkGate"

Read More

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More

Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.

Read More

Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884

Read More

This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky

Read More

This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018

Read More

This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET

Read More

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Read More

Detects suspicious command line that adds an account to the local administrators/administrateurs group

Read More

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.

Read More

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects a BITS transfer job downloading file(s) from a direct IP address.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects FlowCloud malware from threat group TA410.

Read More

Detects abusing Windows 10 Narrator's Feedback-Hub

Read More

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Read More

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Read More

Identifies the creation of local users via the net.exe command.

Read More

Detects creation of local users via the net.exe command with the option "never expire"

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

Read More

Detects potential COM object hijacking leveraging the COM Search Order

Read More

Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.

Read More

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files

Read More

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

Detects Remote Utilities Host service installation on the target system.

Read More

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Read More

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Read More

Detects suspicious command line in which a user gets added to the local Remote Desktop Users group

Read More

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Read More

Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)

Read More

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

Read More

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

Read More

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Read More

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Detects when changes are made to PIM roles

Read More

Sysmon registry detection of a local hidden user account.

Read More

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects a failed installation of a Exchange Transport Agent

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded

Read More

Detects suspicious modification of crontab file.

Read More

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Read More

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Read More

Detects NetSupport Manager service installation on the target system.

Read More

Detects creation of a new service (kernel driver) with the type "kernel"

Read More

Detect when a user has reset their password in Azure AD

Read More

Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt

Read More

Detects when PIM alerts are set to disabled.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Read More

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Read More

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Read More

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Read More

Detects when a new admin is created.

Read More

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Read More

Detects persistence registry keys for Recycle Bin

Read More

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Read More

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Read More

Detects service installation in suspicious folder appdata

Read More

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Read More

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Read More

Detects suspicious file type dropped by an Exchange component in IIS

Read More

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Read More

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers

Read More

Detects suspicious Powershell code that execute COM Objects

Read More

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

Read More

Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths

Read More

Detects suspicious processes including shells spawnd from WinRM host process

Read More

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Read More

Detects update to a scheduled task event that contain suspicious keywords.

Read More

Detects the creation of a schtask that executes a file from C:\Users<USER>\AppData\Local

Read More

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Read More

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects suspicious service installation scripts

Read More

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Read More

Detects creation of a file named "wpbbin" in the "%systemroot%\system32" directory. Which could be indicative of UEFI based persistence method

Read More

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

Read More

Monitor and alert on group membership additions of groups that have CA policy modification access

Read More

Detects usage of the "usermod" binary to add users add users to the root or suoders groups

Read More

Monitor and alert on group membership removal of groups that have CA policy modification access

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

Read More

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Read More

Detects when an ElastiCache security group has been created.

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Read More

Detects disabling of Multi Factor Authentication.

Read More

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects the addition of a new Federated Domain.

Read More

Detects the addition of a new Federated Domain.

Read More

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Read More

User Added to an Administrator's Azure AD Role

Read More

Detects the malicious use of a control panel item

Read More

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Read More