EXPLORE DETECTIONS
Active Directory Group Enumeration With Get-AdGroup
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
Active Directory Group Modification by SYSTEM
Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
Active Directory Lateral Movement Identified
The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.
Active Directory Privilege Escalation Identified
The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Active Directory Structure Export Via Csvde.EXE
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
Active Setup Registry Autostart
The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Activity from Anonymous IP Addresses
Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
Activity from Infrequent Country
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Activity Performed by Terminated User
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Add Debugger Entry To AeDebug For Persistence
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Add DefaultUser And Password In Registry
The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program