An alert is triggered upon accessing via Finder directories of system libraries on Mac.

An alert is triggered upon accessing the Environment Variables screen on Windows, potentially to make changes in internal Windows settings.

An alert is triggered upon opening the Microsoft IIS settings wizard to add roles or features.

This alert will be triggered upon opening the Internet Protocol Properties window. The operation can indicate an intent to change connected DNS servers and IP addresses.

An alert is triggered upon changing the state of a Windows service (e.g. starting or stopping) from the Services screen.

An alert is triggered upon opening Windows System Configuration utility, potentially in order to make changes in the flow of the startup process of the machine.

An alert is triggered upon opening Registry Editor and trying to connect to a remote computer in order view of modify Registry keys.

An alert is triggered upon trying to connect the Amazon EC2 (with the default user account), potentially in order to transfer data to it.

An alert is triggered upon creating or modifying scheduled tasks via command line tools.

An alert is triggered upon opening various edit dialogs of the Windows Registry Editor. This action could indicate that the user plans to make changes in a Registry key which usually should not be done by a non-Administrator user.

An alert is triggered upon opening the User Account Control settings screen potentially to change the settings (i.e., when to get notifications from the operating system on programs that are about to make changes on a machine).

An alert is triggered upon using Office 365 web interface, opening the access settings window and granting full access to a user for a specific Outlook mailbox. This action should not be done by non-Administrators.

An alert is triggered upon using manually the mount command on Mac in order to mount a file system. Usually it is expected to be done using the UI, and doing via command line is worth reviewing.

An alert is triggered upon invoking the Windows Registry Editor which usually should not be used by a non-Administrator user due to its sensitivity to changes.

An alert will be triggered upon opening the Startup and Recovery dialog, potentially to make changes on local computer.

An alert is triggered upon opening the Services screen on Windows, potentially in order to stop or start one of the Windows Services.

An alert is triggered upon opening the certificates screen within Microsoft Management Console (MMC).

This alert will be triggered upon opening the Remove Role and Features Wizard window in IIS Manager. This operation indicates an early intent to cause damage to the organization network.

An alert is triggered upon trying to change a computer name via command line tools.

An alert is triggered upon running one of the command line shell programs (CMD, PowerShell) which are powerful utilities to make changes in the system.

Running Command Line Shell programs as Administrator

See also Performing Privilege Elevation for similar alert rules

An alert is triggered upon running one of the command line shell programs (CMD, PowerShell) as an Administrator, as these are very powerful utilities for making changes in the system when launched with Administrator privileges.

An alert is triggered upon running one of the predefined DBA tools that can be used to read sensitive information, to make changes, or to delete it.

An alert is triggered upon running a predefined PowerShell command that is risky or can cause damage.

An alert is triggered upon running a command line tool and invoking a command which should not be executed by privileged users.

An alert is triggered upon running a command line tool and invoking a command which should not be executed by non-admin users.

An alert is triggered upon running one of the predefined Windows built-in management tools (such as MMC and MSCONFIG). This action could indicate that the user plans to make changes to the system settings.

An alert is triggered upon opening the Computer Name/Domain Changes dialog, potentially in order to change the computer name or the domain name membership.

An alert is triggered upon opening the Network Connection screen on Windows.

An alert is triggered upon trying to edit the SUDOERS file which can grant unauthorized root permissions for users (as the SUDOERS file grants root permissions to run specific commands).

An alert is triggered upon trying to edit the SUDOERS file using VISUDO. This file can grant unauthorized root permissions to run specific commands.

An alert is triggered upon running the IPTABLES command that can be used to setup, maintain, or inspect the tables of IPv4 packet filter rules in the kernel.

An alert is triggered upon using the SERVICE or CHKCONFIG commands to view or change system services.

An alert is triggered upon trying to view the content of cron jobs using CRONTAB.