Skip to Content
Insightidr- Suspicious Ingress Authentications

Suspicious Ingress Authentications

These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.

Suspicious Authentication - Alibaba

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - AltusHost

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Anonine VPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Avast

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Choopa

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - ColoCrossing

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - CyberGhost

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - DataCamp Limited

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - DataClub, Dedicated Servers

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Dedipath

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Domain Accounts - T1078.002

Suspicious Authentication - Digital Ocean

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - ExpressVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - GigeNET

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Host1Plus

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Input Output Flood LLC

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Interserver

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - IPVanish

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - IP Volume

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - IT7 Networks

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - ITL-Bulgaria Ltd.

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - LeaseWeb

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Domain Accounts - T1078.002

Suspicious Authentication - Liquid Web

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - M247

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Micfo

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NeoVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - NordVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Obehosting

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVH

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - OVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - OVPN.se

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Private Layer Inc

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Account - T1136.003

Suspicious Authentication - ProfitServer

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Psychz Networks

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - QuadraNet

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Redstation Limited

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftEther Corporation

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - SoftLayer

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - StrongVPN

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Tor Exit Node

Description

This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.

Recommendation

Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Proxy - T1090
  • Multi-hop Proxy - T1090.003

Suspicious Authentication - Total Server Solutions, Private Internet Access

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - Vectant

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004

Suspicious Authentication - VolumeDrive

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPN Consumer Network

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNSolutions

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - VPNTunnel

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

Suspicious Authentication - Zenex 5ive

Description

This detection identifies successful authentications from low-cost VPN providers.

Recommendation

Review the authentication history for the user in question. If the user does not use this VPN service, lock the account and contact the user out-of-band to reset their password.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Domain Accounts - T1078.002
  • Cloud Accounts - T1078.004