Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | WinEventLog:Security | EventCode=4738, 4728, 4670 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Time between suspicious process and account change (e.g., 5m). |
| HighPrivilegeGroupList | Customize group list (e.g., Domain Admins, Enterprise Admins) to monitor. |
| SubjectTargetMismatch | Flag if account modifier != modified user (potential hijack). |
Use of native tools or scripting (e.g., usermod, passwd, groupmod) to escalate permissions or persist access on existing users, correlated with login or process events.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | auditd:SYSCALL | usermod, groupmod, passwd |
| File Modification (DC0061) | auditd:PATH | /etc/passwd or /etc/group file write |
| Field | Description |
|---|---|
| SudoPath | Common sudo or privilege escalation paths (e.g., `/usr/bin/passwd`). |
| ModifiedShellList | Detect if user shell is changed to unusual one (e.g., /bin/sh -> /bin/bash). |
Modifications to user accounts via dscl, pwpolicy, or System Preferences CLI (sysadminctl) that alter user groups, enable root, or bypass MDM restrictions.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | macos:unifiedlog | com.apple.accountsd, com.apple.opendirectoryd |
| Field | Description |
|---|---|
| ModifiedUserList | Track known non-system user UIDs or service accounts. |
| GroupMembershipChanges | List of sensitive groups (admin, _developer, _analyticsd). |
Modifications to SSO/SAML user attributes (e.g., isAdmin, role, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | saas:okta | User Attribute Modified / Role Assignment Changed |
| Field | Description |
|---|---|
| RoleAssignmentBaseline | Expected user-role pairings per app or org unit. |
| APIUsageContext | Caller identity or IP address ranges for identity admin actions. |
Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | esxi:vpxa | vim.SessionManager.login / vim.AccountManager.createUser |
| Field | Description |
|---|---|
| VMAdminAccountName | Expected account name patterns for ESXi/vCenter admins. |
| NetworkAccessLocation | Expected IPs/subnets for legitimate ESXi access. |
Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | m365:unified | Admin Activity > Role Change or Sharing Change |
| Field | Description |
|---|---|
| SharingSensitivityLabel | Threshold for labeling sensitive document access escalation. |
| CrossOrgChanges | Track changes made across organizational boundaries (e.g., guest users). |