A method for monitoring includes defining a plurality of different types of administrative activities in a computer system (20). Each administrative activity in the plurality includes an action performed by one of the computers (22, 24) in the system that can be invoked only by a user having an elevated level of privileges in the system. The administrative activities performed by at least a group of the computers in the system are tracked automatically. Upon detecting that a given computer in the system has performed an anomalous combination of at least two of the different types of administrative activities, an action is initiated to inhibit malicious exploitation of the given computer.
