Migrated Legacy Rules

This is a collection of rules that have been migrated from the Legacy UBA Detection Rules tab.

Attacker Technique - Protocol Poisoning

Description

This detection identifies the poisoning of a network protocol.

Recommendation

Investigate the poisoning host. Search for additional hosts that may have queried the poisoning host, as this alert will only fire once per poisoner address per day.

MITRE ATT&CK Techniques

  • Adversary-in-the-Middle - T1557
  • LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001
Attacker Technique - Service Installed Executing PowerShell

Description

This detection identifies services being installed with 'powershell' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
  • PowerShell - T1059.001
  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed With Long Command Line

Description

This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • System Services - T1569
  • Service Execution - T1569.002
File Access - Honey File Accessed

Description

This detection identifies a user accessing a honey file. A honey file is a fake file located on a network file share. Honey files are designed to detect attackers who are accessing and potentially removing data from your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Lateral Movement - Administrator Impersonation

Description

A user has authenticated to an administrator account.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
Lateral Movement - Watched User Impersonation

Description

A user has authenticated to a watched user's account.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. If it is expected, exceptions can be added for the source user. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

MITRE ATT&CK Techniques

  • Domain Accounts - T1078.002
User Behavior - An Attempt Was Made To Reset An Account's Password

Description

An attempt was made to reset an account's password.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Privilege Has Been Escalated

Description

An administrator has assigned a higher level of privileges to the account.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Changed

Description

A user account was changed.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Created

Description

A new account has been created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations

User Behavior - A User Account Was Enabled

Description

A previously disabled user account has been re-enabled by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Manipulation - T1098
User Behavior - A User Account Was Locked Out

Description

An account has been locked.

Recommendation

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Account Access Removal - T1531
User Behavior - A User Account Was Unlocked

Description

A previously locked user account has been unlocked by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations

User Behavior - A virus has been found on an asset

Description

A virus has been found on an asset.

Recommendation

Review the file that generated the alert.

MITRE ATT&CK Techniques

  • Malicious File - T1204.002
User Behavior - An advanced malware system has generated an alert

Description

An advanced malware system has generated an alert.

Recommendation

Review the file or network traffic that generated the alert.

MITRE ATT&CK Techniques

  • Malware - T1588.001
User Behavior - Brute Force Against Domain Account

Description

A domain account has failed to authenticate to the same asset excessively.

Recommendation

Investigate the source and destination domain account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Password Guessing - T1110.001
  • Password Guessing - T1110.003
  • Password Guessing - T1110.004
User Behavior - Brute Force Against Local Account

Description

A local account has failed to authenticate to the same asset excessively.

Recommendation

Investigate the source and destination local account of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648#security-monitoring-recommendations

MITRE ATT&CK Techniques

  • Password Guessing - T1110.001
  • Password Guessing - T1110.003
  • Password Guessing - T1110.004
User Behavior - Exploit Mitigation has generated an alert

Description

An exploit has been mitigated in a process.

Recommendation

Investigate the process that was mitigated and verify if this activity is benign or expected. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application or System Exploitation - T1499.004