Suspicious Ingress Authentications
These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.
Suspicious Authentication - Alibaba
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - AltusHost
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Anonine VPN
Suspicious Authentication - Avast
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Choopa
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - ColoCrossing
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - CyberGhost
Suspicious Authentication - DataCamp Limited
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - DataClub, Dedicated Servers
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Dedipath
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Domain Accounts - T1078.002
Suspicious Authentication - Digital Ocean
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - ExpressVPN
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - GigeNET
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Host1Plus
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Input Output Flood LLC
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Interserver
Suspicious Authentication - IPVanish
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - IP Volume
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - IT7 Networks
Suspicious Authentication - ITL-Bulgaria Ltd.
Suspicious Authentication - LeaseWeb
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Domain Accounts - T1078.002
Suspicious Authentication - Liquid Web
Suspicious Authentication - M247
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Micfo
Suspicious Authentication - NeoVPN
Suspicious Authentication - NordVPN
Suspicious Authentication - Obehosting
Suspicious Authentication - OVH
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - OVPN
Suspicious Authentication - OVPN.se
Suspicious Authentication - Private Layer Inc
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Account - T1136.003
Suspicious Authentication - ProfitServer
Suspicious Authentication - Psychz Networks
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - QuadraNet
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Redstation Limited
Suspicious Authentication - SoftEther Corporation
Suspicious Authentication - SoftLayer
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - StrongVPN
Suspicious Authentication - Tor Exit Node
Description
This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.
Recommendation
Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Proxy - T1090
- Multi-hop Proxy - T1090.003
Suspicious Authentication - Total Server Solutions, Private Internet Access
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - Vectant
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004
Suspicious Authentication - VolumeDrive
Suspicious Authentication - VPN Consumer Network
Suspicious Authentication - VPNSolutions
Suspicious Authentication - VPNTunnel
Suspicious Authentication - Zenex 5ive
Description
This detection identifies successful authentications from low-cost VPN providers.
Recommendation
Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.
MITRE ATT&CK Techniques
- Valid Accounts - T1078
- Domain Accounts - T1078.002
- Cloud Accounts - T1078.004