Detects when a process tries to access the memory of svchost to potentially dump credentials.
Detection of unusual child processes by different system processes
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
Monitor and alert on conditional access changes.
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
Monitor and alert on group membership additions of groups that have CA policy modification access
Monitor and alert on group membership removal of groups that have CA policy modification access
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Detects non-system users performing privileged operation os the SCM database
Detects the creation of doas.conf file in linux host platform.
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.