Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Read More

Detects global permissions change activity.

Read More

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Read More

Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

Detects activity when a security-enabled global group is deleted

Read More

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Read More

Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.

Read More

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Read More

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Read More

Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".

Read More

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Read More

Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".

Read More