Rules Contributing to Suspicious Windows Active Directory Operation Alerts

The following rules are used to identify suspicious activity with Windows Active Directory Operation. Any one or more of these will trigger Suspicious Windows Active Directory Operation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
---|---|
DPAPI Domain Backup Key Extraction |
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers |
WMI Persistence - Security |
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. |
AD Object WriteDAC Access |
Detects WRITE_DAC access to a domain object |
Access to a Sensitive LDAP Attribute |
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |