Detects suspicious command line that adds an account to the local administrators/administrateurs group

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Find local accounts being created or modified as well as remote authentication configurations

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Addition of domains is seldom and should be verified for legitimacy.

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Detects when an API access service account is granted domain authority.

Detects when an Google Workspace user is granted admin privileges.