EXPLORE DETECTIONS
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added To Privilege Role
Detects when a user is added to a privileged role.
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
User Risk and MFA Registration Policy Updated
Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID