The following table contains an alphabetical list of all indicators that originate from On Demand Audi, .

Indicator Indicator Type Severity
Active Directory Database (NTDS.dit) access attempt detected Detected TTP Critical
AD Database (NTDS.dit) file modification attempt detected Detected TTP Critical
AD schema configuration changes Detected TTP Critical
Administrative privilege elevation detected (adminCount attribute) Detected TTP Critical
Domain level group policy linked changes detected Detected TTP Critical
File changes with suspicious file extensions Detected TTP Critical
Irregular Active Directory replication activity detected (DCSync) Detected TTP Critical
Irregular domain controller registration detected (DCShadow) Detected TTP Critical
NTLM version 1 authentications Detected TTP Medium
Possible Golden Ticket Kerberos exploit Detected TTP Critical
Potential sIDHistory injection detected Detected TTP Critical
Security changes to Tier Zero computer objects Detected TTP High
Security changes to Tier Zero domain objects Detected TTP Critical
Security changes to Tier Zero group objects Detected TTP Critical
Security changes to Tier Zero group policy objects Detected TTP Critical
Security changes to Tier Zero user objects Detected TTP Critical
Suspicious group ESX Admins created or member added Detected TTP High
Tier Zero computer changes Detected TTP High
Tier Zero domain and forest configuration changes Detected TTP Critical
Tier Zero group changes Detected TTP Critical
Tier Zero group policy object changes Detected TTP Critical
Tier Zero user changes Detected TTP High
Tier Zero user logons to computers that are not Tier Zero Detected TTP Critical
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) Detected TTP Critical
Unusual increase in AD account lockouts Detected Anomaly Critical
Unusual increase in failed AD changes Detected Anomaly Critical
Unusual increase in failed AD Federation Services sign-ins Detected Anomaly Critical
Unusual increase in failed on-premises sign-ins Detected Anomaly Critical
Unusual increase in file deletes Detected Anomaly Critical
Unusual increase in file renames Detected Anomaly Critical
Unusual increase in permission changes to AD objects Detected Anomaly Critical
Unusual increase in share access permission changes Detected Anomaly Critical
Unusual increase in successful AD Federation Services sign-in Detected Anomaly Critical
Unusual increase in successful on-premises sign-ins Detected Anomaly Critical
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) Detected TTP Critical