Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Detection of unusual child processes by different system processes

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Detects non-system users performing privileged operation os the SCM database

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Monitor and alert on group membership additions of groups that have CA policy modification access

Monitor and alert on group membership removal of groups that have CA policy modification access

Detects the creation of doas.conf file in linux host platform.

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Monitor and alert on conditional access changes.

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.