The following table contains an alphabetical list of all indicators that originate from On Demand Audi, .
Indicator | Indicator Type | Severity |
---|---|---|
Active Directory Database (NTDS.dit) access attempt detected | Detected TTP | Critical |
AD Database (NTDS.dit) file modification attempt detected | Detected TTP | Critical |
AD schema configuration changes | Detected TTP | Critical |
Administrative privilege elevation detected (adminCount attribute) | Detected TTP | Critical |
Attempt to access protected Active Directory database detected | Detected TTP | Medium |
Attempt to access protected Windows file or folder detected | Detected TTP | Medium |
Attempt to edit protected group policy object detected | Detected TTP | Medium |
Attempt to modify protected Active Directory object detected | Detected TTP | Medium |
Domain level group policy linked changes detected | Detected TTP | Critical |
Entra ID Privileged group changes | Detected TTP | Medium |
Entra ID Privileged principal logons | Detected TTP | Medium |
Entra ID Privileged risk events | Detected TTP | High |
Entra ID Privileged role changes | Detected TTP | Medium |
Entra ID Privileged service principal changes | Detected TTP | Medium |
Entra ID Privileged tenant level and directory activity | Detected TTP | Medium |
Entra ID Privileged user changes | Detected TTP | Medium |
File changes with suspicious file extensions | Detected TTP | Critical |
Group Policy scheduled task section modified | Detected TTP | High |
Irregular Active Directory replication activity detected (DCSync) | Detected TTP | Critical |
Irregular domain controller registration detected (DCShadow) | Detected TTP | Critical |
NTLM version 1 authentications | Detected TTP | Medium |
Possible Golden Ticket Kerberos exploit | Detected TTP | Critical |
Potential sIDHistory injection detected | Detected TTP | Critical |
Security changes to Tier Zero computer objects | Detected TTP | High |
Security changes to Tier Zero domain objects | Detected TTP | Critical |
Security changes to Tier Zero group objects | Detected TTP | Critical |
Security changes to Tier Zero group policy objects | Detected TTP | Critical |
Security changes to Tier Zero user objects | Detected TTP | Critical |
Suspicious group ESX Admins created or member added | Detected TTP | High |
Tier Zero computer changes | Detected TTP | High |
Tier Zero domain and forest configuration changes | Detected TTP | Critical |
Tier Zero group changes | Detected TTP | Critical |
Tier Zero group policy object changes | Detected TTP | Critical |
Tier Zero user changes | Detected TTP | High |
Tier Zero user logons to computers that are not Tier Zero | Detected TTP | Critical |
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Detected TTP | Critical |
Unusual increase in AD account lockouts | Detected Anomaly | Critical |
Unusual increase in failed AD changes | Detected Anomaly | Critical |
Unusual increase in failed AD Federation Services sign-ins | Detected Anomaly | Critical |
Unusual increase in failed on-premises sign-ins | Detected Anomaly | Critical |
Unusual increase in file deletes | Detected Anomaly | Critical |
Unusual increase in file renames | Detected Anomaly | Critical |
Unusual increase in permission changes to AD objects | Detected Anomaly | Critical |
Unusual increase in share access permission changes | Detected Anomaly | Critical |
Unusual increase in successful AD Federation Services sign-in | Detected Anomaly | Critical |
Unusual increase in successful on-premises sign-ins | Detected Anomaly | Critical |
Unusual increase in successful tenant sign-ins | Detected Anomaly | Critical |
Unusual increase in tenant sign-in failures | Detected Anomaly | Critical |
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Detected TTP | Critical |