Suspicious User Behavior
These detections identify suspicious user behavior from user events generated to detect compromised credentials, lateral movement, and other malicious behavior.
User Behavior - A Computer Account Was Created
Description
A computer account was created.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Create Account - T1136
User Behavior - A Member Was Added To A Security-Enabled Global Group
Description
A member was added to a security-enabled global group.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A Member Was Added To A Security-Enabled Local Group
Description
A member was added to a security-enabled local group.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A Member Was Added To A Security-Enabled Universal Group
Description
A member was added to a security-enabled universal group
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - An Attempt Was Made To Reset An Account's Password
Description
An attempt was made to reset an account's password.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Changed
Description
A user account was changed.
Recommendation
Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Created
Description
A new account has been created.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations
User Behavior - A User Account Was Disabled
Description
An account has been disabled.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Access Removal - T1531
User Behavior - A User Account Was Enabled
Description
A previously disabled user account has been re-enabled by an administrator.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Locked Out
Description
An account has been locked.
Recommendation
Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Access Removal - T1531
User Behavior - A User Account Was Unlocked
Description
A previously locked user account has been unlocked by an administrator.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations