Suspicious Ingress Authentications

These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.

Suspicious Authentication - Alibaba

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - AltusHost

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Anonine VPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Avast

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Choopa

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - ColoCrossing

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - CyberGhost

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - DataCamp Limited

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - DataClub, Dedicated Servers

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Dedipath

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Domain Accounts - T1078.002
Suspicious Authentication - Digital Ocean

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - ExpressVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - GigeNET

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Host1Plus

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Input Output Flood LLC

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Interserver

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - IPVanish

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - IP Volume

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - IT7 Networks

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - ITL-Bulgaria Ltd.

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - LeaseWeb

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Domain Accounts - T1078.002
Suspicious Authentication - Liquid Web

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - M247

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Micfo

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NeoVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NordVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Obehosting

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVH

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - OVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVPN.se

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Private Layer Inc

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Account - T1136.003
Suspicious Authentication - ProfitServer

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Psychz Networks

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - QuadraNet

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Redstation Limited

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftEther Corporation

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftLayer

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - StrongVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Tor Exit Node

Description

This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.

Recommendation

Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Proxy - T1090
  • Multi-hop Proxy - T1090.003
Suspicious Authentication - Total Server Solutions, Private Internet Access

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - Vectant

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004
Suspicious Authentication - VolumeDrive

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPN Consumer Network

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNSolutions

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNTunnel

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Zenex 5ive

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004