Performing Unauthorized Admin Tasks

Performing Unauthorized Admin Tasks (Windows/Mac)

The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: PERFORMING UNAUTHORIZED ADMIN TASKS.

See also Bypassing Security Controls for some similar alert rules.

ALERT RULE

Description

Accessing system libraries on Mac

An alert is triggered upon accessing via Finder directories of system libraries on Mac.

Accessing Windows Environment Variables screen

An alert is triggered upon accessing the Environment Variables screen on Windows, potentially to make changes in internal Windows settings.

Adding or modifying Roles and Features in IIS Manager

An alert is triggered upon opening the Microsoft IIS settings wizard to add roles or features.

Changing Internet protocol properties

This alert will be triggered upon opening the Internet Protocol Properties window. The operation can indicate an intent to change connected DNS servers and IP addresses.

Changing the state of a Windows service

An alert is triggered upon changing the state of a Windows service (e.g. starting or stopping) from the Services screen.

Changing Windows startup configuration

An alert is triggered upon opening Windows System Configuration utility, potentially in order to make changes in the flow of the startup process of the machine.

Connecting to a remote Registry on Windows

An alert is triggered upon opening Registry Editor and trying to connect to a remote computer in order view of modify Registry keys.

Connecting to Amazon FTP server on Mac

An alert is triggered upon trying to connect the Amazon EC2 (with the default user account), potentially in order to transfer data to it.

Creating or modifying scheduled tasks in command line tools

An alert is triggered upon creating or modifying scheduled tasks via command line tools.

Editing Registry Editor entry

An alert is triggered upon opening various edit dialogs of the Windows Registry Editor. This action could indicate that the user plans to make changes in a Registry key which usually should not be done by a non-Administrator user.

Editing User Account Control (UAC) Settings

An alert is triggered upon opening the User Account Control settings screen potentially to change the settings (i.e., when to get notifications from the operating system on programs that are about to make changes on a machine).

Granting full access to Office 365 mailbox

An alert is triggered upon using Office 365 web interface, opening the access settings window and granting full access to a user for a specific Outlook mailbox. This action should not be done by non-Administrators.

Mounting file system using the mount command on Mac

An alert is triggered upon using manually the mount command on Mac in order to mount a file system. Usually it is expected to be done using the UI, and doing via command line is worth reviewing.

Opening Registry Editor

An alert is triggered upon invoking the Windows Registry Editor which usually should not be used by a non-Administrator user due to its sensitivity to changes.

Opening Startup and Recovery dialog

An alert will be triggered upon opening the Startup and Recovery dialog, potentially to make changes on local computer.

Opening Windows Services screen

An alert is triggered upon opening the Services screen on Windows, potentially in order to stop or start one of the Windows Services.

Opening Windows system certificates screen

An alert is triggered upon opening the certificates screen within Microsoft Management Console (MMC).

Removing roles or features in IIS Manager

This alert will be triggered upon opening the Remove Role and Features Wizard window in IIS Manager. This operation indicates an early intent to cause damage to the organization network.

Renaming computer via command line tools

An alert is triggered upon trying to change a computer name via command line tools.

Running Command Line Shell programs

An alert is triggered upon running one of the command line shell programs (CMD, PowerShell) which are powerful utilities to make changes in the system.

 

Running Command Line Shell programs as Administrator

See also Performing Privilege Elevation for similar alert rules

An alert is triggered upon running one of the command line shell programs (CMD, PowerShell) as an Administrator, as these are very powerful utilities for making changes in the system when launched with Administrator privileges.

Running DBA tools

An alert is triggered upon running one of the predefined DBA tools that can be used to read sensitive information, to make changes, or to delete it.

Running PowerShell-specific dangerous command

An alert is triggered upon running a predefined PowerShell command that is risky or can cause damage.

Running unauthorized command by admin in command line tools

An alert is triggered upon running a command line tool and invoking a command which should not be executed by privileged users.

Running unauthorized command by non-admin user in command line tools

An alert is triggered upon running a command line tool and invoking a command which should not be executed by non-admin users.

Running Windows management tools

An alert is triggered upon running one of the predefined Windows built-in management tools (such as MMC and MSCONFIG). This action could indicate that the user plans to make changes to the system settings.

Trying to change computer name or domain

An alert is triggered upon opening the Computer Name/Domain Changes dialog, potentially in order to change the computer name or the domain name membership.

Viewing network connections and network adapters settings

An alert is triggered upon opening the Network Connection screen on Windows.

Performing Unauthorized AdminTasks (Unix/Linux)

The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: PERFORMING UNAUTHORIZED ADMIN TASKS.

ALERT RULE

Description

Editing the SUDOERS file

An alert is triggered upon trying to edit the SUDOERS file which can grant unauthorized root permissions for users (as the SUDOERS file grants root permissions to run specific commands).

Editing the SUDOERS file using VISUDO

An alert is triggered upon trying to edit the SUDOERS file using VISUDO. This file can grant unauthorized root permissions to run specific commands.

Running IPTABLES command

An alert is triggered upon running the IPTABLES command that can be used to setup, maintain, or inspect the tables of IPv4 packet filter rules in the kernel.

Running management commands on system services

An alert is triggered upon using the SERVICE or CHKCONFIG commands to view or change system services.

Viewing cron job content

An alert is triggered upon trying to view the content of cron jobs using CRONTAB.