EXPLORE DETECTIONS
Access of Sudoers File Content
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Access to a Sensitive LDAP Attribute
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Access To Potentially Sensitive Sysvol Files By Uncommon Applications
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
Account Configured with Never-Expiring Password
Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
Account Discovery Command via SYSTEM Account
Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Account Password Reset Remotely
Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Active Directory Activity
Table of recent Active Directory activity including disabled, deleted and password reset events.
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Active Directory Discovery using AdExplorer
This rule detects the use of ADExplorer utility. Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance.
Active Directory Domain Services Elevation of Privilege Vulnerability, CVE-2021-42278
The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
Active Directory Forced Authentication from Linux Host - SMB Named Pipes
Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.