Rules Contributing to Suspicious Windows Active Directory Operation Alerts

The following rules are used to identify suspicious activity with Windows Active Directory operation. Any one or more of these will trigger Suspicious Windows Active Directory Operation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

DPAPI Domain Backup Key Extraction

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

AD Object WriteDAC Access

Detects WRITE_DAC access to a domain object

Access to a Sensitive LDAP Attribute

Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.