Suspicious User Behavior

These detections identify suspicious user behavior from user events generated to detect compromised credentials, lateral movement, and other malicious behavior.

User Behavior - A Computer Account Was Created

Description

A computer account was created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Create Account - T1136
User Behavior - A Member Was Added To A Security-Enabled Global Group

Description

A member was added to a security-enabled global group.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A Member Was Added To A Security-Enabled Local Group

Description

A member was added to a security-enabled local group.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A Member Was Added To A Security-Enabled Universal Group

Description

A member was added to a security-enabled universal group

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - An Attempt Was Made To Reset An Account's Password

Description

An attempt was made to reset an account's password.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Changed

Description

A user account was changed.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Created

Description

A new account has been created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations

User Behavior - A User Account Was Disabled

Description

An account has been disabled.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Access Removal - T1531
User Behavior - A User Account Was Enabled

Description

A previously disabled user account has been re-enabled by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Locked Out

Description

An account has been locked.

Recommendation

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Access Removal - T1531
User Behavior - A User Account Was Unlocked

Description

A previously locked user account has been unlocked by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations