Product
high
advisory
Potential Shadow Credentials added to AD Object
2 rules 2 TTPsThis rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.
Active Directory +2
credential-access
shadow-credentials
windows
2r
2t
medium
advisory
Potential Credential Access via DCSync
2 rules 3 TTPsThis rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.
Azure AD Connect
credential-access
privilege-escalation
windows
active-directory
2r
3t