Video: https://www.youtube.com/watch?v=ogJMUFMOXLYDocumentation Index
Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt
Use this file to discover all available pages before exploring further.
Goal
Validate a local admin change is unauthorized and remove rogue admin access.When to use
- Alerts indicating local account creation or group membership changes
Prereqs
- Endpoint telemetry + identity context
Procedure (high level)
- Validate who/what created the account or modified the group
- Confirm whether change is approved
- Remove unauthorized accounts / admin group entries
- Capture evidence and update the case
Validation
- Rogue admin access removed
- No recurrence after monitoring window