Suspicious Ingress Authentications
Copy link

Suspicious Ingress Authentications
Copy link

These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.

Suspicious Authentication - Alibaba

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - AltusHost

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Anonine VPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Avast

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Choopa

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - ColoCrossing

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - CyberGhost

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - DataCamp Limited

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - DataClub, Dedicated Servers

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Dedipath

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Domain Accounts - T1078.002

Suspicious Authentication - Digital Ocean

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - ExpressVPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - GigeNET

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Host1Plus

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Input Output Flood LLC

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Interserver

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - IPVanish

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - IP Volume

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - IT7 Networks

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - ITL-Bulgaria Ltd.

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - LeaseWeb

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Domain Accounts - T1078.002

Suspicious Authentication - Liquid Web

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - M247

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Micfo

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NeoVPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NordVPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Obehosting

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVH

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - OVPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVPN.se

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Private Layer Inc

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Account - T1136.003

Suspicious Authentication - ProfitServer

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Psychz Networks

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - QuadraNet

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Redstation Limited

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftEther Corporation

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftLayer

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - StrongVPN

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Tor Exit Node

Description
Copy link

This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.

Recommendation
Copy link

Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Proxy - T1090
  • Multi-hop Proxy - T1090.003

Suspicious Authentication - Total Server Solutions, Private Internet Access

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Vectant

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - VolumeDrive

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPN Consumer Network

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNSolutions

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNTunnel

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Zenex 5ive

Description
Copy link

This detection identifies successful authentications from low-cost VPN providers.

Recommendation
Copy link

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques
Copy link

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004