Detects user data export activity.
Detects user permission data export attempt.
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Detects suspicious command with /dev/tcp
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Indicates that the user's valid credentials have been leaked.
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Detects events with patterns found in commands used for reconnaissance on linux systems
Detects when a DNS zone transfer failed.
Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
Detects exploitation attempt using public exploit code for CVE-2018-15473