Windows Disable Change Password Through Registry
Modify Registry
Change
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows Create Local Account
Local Account, Create Account
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Short Lived Windows Accounts
Local Account, Create Account