Migrated Legacy Rules
This is a collection of rules that have been migrated from the Legacy UBA Detection Rules tab.
Attacker Technique - Protocol Poisoning
Description
This detection identifies the poisoning of a network protocol.
Recommendation
Investigate the poisoning host. Search for additional hosts that may have queried the poisoning host, as this alert will only fire once per poisoner address per day.
MITRE ATT&CK Techniques
- Adversary-in-the-Middle - T1557
- LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001
Attacker Technique - Service Installed Executing PowerShell
Description
This detection identifies services being installed with 'powershell' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Command and Scripting Interpreter - T1059
- PowerShell - T1059.001
- System Services - T1569
- Service Execution - T1569.002
Attacker Technique - Service Installed With Long Command Line
Description
This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- System Services - T1569
- Service Execution - T1569.002
File Access - Honey File Accessed
Description
This detection identifies a user accessing a honey file. A honey file is a fake file located on a network file share. Honey files are designed to detect attackers who are accessing and potentially removing data from your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
User Behavior - An Attempt Was Made To Reset An Account's Password
Description
An attempt was made to reset an account's password.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Changed
Description
A user account was changed.
Recommendation
Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Created
Description
A new account has been created.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations
User Behavior - A User Account Was Enabled
Description
A previously disabled user account has been re-enabled by an administrator.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Manipulation - T1098
User Behavior - A User Account Was Locked Out
Description
An account has been locked.
Recommendation
Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations
MITRE ATT&CK Techniques
- Account Access Removal - T1531
User Behavior - A User Account Was Unlocked
Description
A previously locked user account has been unlocked by an administrator.
Recommendation
Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.
For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations