The following table contains an alphabetical list of all indicators that originate from On Demand Audi, .
| Indicator | Indicator Type | Severity |
|---|---|---|
| Active Directory Database (NTDS.dit) access attempt detected | Detected TTP | Critical |
| AD Database (NTDS.dit) file modification attempt detected | Detected TTP | Critical |
| AD schema configuration changes | Detected TTP | Critical |
| Administrative privilege elevation detected (adminCount attribute) | Detected TTP | Critical |
| Attempt to access protected Active Directory database detected | Detected TTP | Medium |
| Attempt to access protected Windows file or folder detected | Detected TTP | Medium |
| Attempt to edit protected group policy object detected | Detected TTP | Medium |
| Attempt to modify protected Active Directory object detected | Detected TTP | Medium |
| Domain level group policy linked changes detected | Detected TTP | Critical |
| Entra ID Privileged group changes | Detected TTP | Medium |
| Entra ID Privileged principal logons | Detected TTP | Medium |
| Entra ID Privileged risk events | Detected TTP | High |
| Entra ID Privileged role changes | Detected TTP | Medium |
| Entra ID Privileged service principal changes | Detected TTP | Medium |
| Entra ID Privileged tenant level and directory activity | Detected TTP | Medium |
| Entra ID Privileged user changes | Detected TTP | Medium |
| File changes with suspicious file extensions | Detected TTP | Critical |
| Group Policy scheduled task section modified | Detected TTP | High |
| Irregular Active Directory replication activity detected (DCSync) | Detected TTP | Critical |
| Irregular domain controller registration detected (DCShadow) | Detected TTP | Critical |
| NTLM version 1 authentications | Detected TTP | Medium |
| Possible Golden Ticket Kerberos exploit | Detected TTP | Critical |
| Potential sIDHistory injection detected | Detected TTP | Critical |
| Security changes to Tier Zero computer objects | Detected TTP | High |
| Security changes to Tier Zero domain objects | Detected TTP | Critical |
| Security changes to Tier Zero group objects | Detected TTP | Critical |
| Security changes to Tier Zero group policy objects | Detected TTP | Critical |
| Security changes to Tier Zero user objects | Detected TTP | Critical |
| Suspicious group ESX Admins created or member added | Detected TTP | High |
| Tier Zero computer changes | Detected TTP | High |
| Tier Zero domain and forest configuration changes | Detected TTP | Critical |
| Tier Zero group changes | Detected TTP | Critical |
| Tier Zero group policy object changes | Detected TTP | Critical |
| Tier Zero user changes | Detected TTP | High |
| Tier Zero user logons to computers that are not Tier Zero | Detected TTP | Critical |
| Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) | Detected TTP | Critical |
| Unusual increase in AD account lockouts | Detected Anomaly | Critical |
| Unusual increase in failed AD changes | Detected Anomaly | Critical |
| Unusual increase in failed AD Federation Services sign-ins | Detected Anomaly | Critical |
| Unusual increase in failed on-premises sign-ins | Detected Anomaly | Critical |
| Unusual increase in file deletes | Detected Anomaly | Critical |
| Unusual increase in file renames | Detected Anomaly | Critical |
| Unusual increase in permission changes to AD objects | Detected Anomaly | Critical |
| Unusual increase in share access permission changes | Detected Anomaly | Critical |
| Unusual increase in successful AD Federation Services sign-in | Detected Anomaly | Critical |
| Unusual increase in successful on-premises sign-ins | Detected Anomaly | Critical |
| Unusual increase in successful tenant sign-ins | Detected Anomaly | Critical |
| Unusual increase in tenant sign-in failures | Detected Anomaly | Critical |
| User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) | Detected TTP | Critical |