Suspicious Ingress Authentications
These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.
Suspicious Authentication - Alibaba
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - AltusHost
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Anonine VPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Avast
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Choopa
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - ColoCrossing
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - CyberGhost
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - DataCamp Limited
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - DataClub, Dedicated Servers
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Dedipath
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Domain Accounts - T1078.002
Suspicious Authentication - Digital Ocean
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - ExpressVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - GigeNET
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Host1Plus
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Input Output Flood LLC
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Interserver
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - IPVanish
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - IP Volume
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - IT7 Networks
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - ITL-Bulgaria Ltd.
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - LeaseWeb
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Domain Accounts - T1078.002
Suspicious Authentication - Liquid Web
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - M247
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Micfo
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - NeoVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - NordVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Obehosting
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - OVH
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - OVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - OVPN.se
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Private Layer Inc
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Account - T1136.003
Suspicious Authentication - ProfitServer
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Psychz Networks
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - QuadraNet
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Redstation Limited
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - SoftEther Corporation
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - SoftLayer
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - StrongVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Tor Exit Node
Description
This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.
Recommendation
Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Proxy - T1090
- Multi-hop Proxy - T1090.003
Suspicious Authentication - Total Server Solutions, Private Internet Access
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Vectant
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - VolumeDrive
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - VPN Consumer Network
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - VPNSolutions
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - VPNTunnel
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
Suspicious Authentication - Zenex 5ive
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004