Migrated Legacy Rules

Description

This detection identifies the poisoning of a network protocol.

Recommendation

Investigate the poisoning host. Search for additional hosts that may have queried the poisoning host, as this alert will only fire once per poisoner address per day.

MITRE ATT&CK Techniques

• Adversary-in-the-Middle - T1557
• LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

Description

This detection identifies services being installed with ‘powershell’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

• Command and Scripting Interpreter - T1059
• PowerShell - T1059.001
• System Services - T1569
• Service Execution - T1569.002

Description

This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

• System Services - T1569
• Service Execution - T1569.002

Description

This detection identifies a user accessing a honey file. A honey file is a fake file located on a network file share. Honey files are designed to detect attackers who are accessing and potentially removing data from your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Description

A user has authenticated to an administrator account.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques

• Valid Accounts - T1078
• Domain Accounts - T1078.002

Description

A user has authenticated to a watched user’s account.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques

• Domain Accounts - T1078.002

Description

An attempt was made to reset an account’s password.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

An administrator has assigned a higher level of privileges to the account.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A user account was changed.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A new account has been created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations 

Description

A previously disabled user account has been re-enabled by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

An account has been locked.

Recommendation

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Access Removal - T1531

Description

A previously locked user account has been unlocked by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations 

Description

A virus has been found on an asset.

Recommendation

Review the file that generated the alert.

MITRE ATT&CK Techniques

• Malicious File - T1204.002

Description

An advanced malware system has generated an alert.

Recommendation

Review the file or network traffic that generated the alert.

MITRE ATT&CK Techniques

• Malware - T1588.001

Description

A domain account has failed to authenticate to the same asset excessively.

Recommendation

Investigate the source and destination domain account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Password Guessing - T1110.001
• Password Guessing - T1110.003
• Password Guessing - T1110.004

Description

A local account has failed to authenticate to the same asset excessively.

Recommendation

Investigate the source and destination local account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Password Guessing - T1110.001
• Password Guessing - T1110.003
• Password Guessing - T1110.004

Description

An exploit has been mitigated in a process.

Recommendation

Investigate the process that was mitigated and verify if this activity is benign or expected. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

• Application or System Exploitation - T1499.004