EXPLORE DETECTIONS
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Add Debugger Entry To AeDebug For Persistence
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Add Port Monitor Persistence in Registry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
ADFS Database Named Pipe Connection By Uncommon Tool
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern).
ADS Zone.Identifier Deleted
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
ADS Zone.Identifier Deleted By Uncommon Application
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.