Suspicious User Behavior
Copy link

These detections identify suspicious user behavior from user events generated to detect compromised credentials, lateral movement, and other malicious behavior.

User Behavior - A Computer Account Was Created

Description
Copy link

A computer account was created.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Create Account - T1136

User Behavior - A Member Was Added To A Security-Enabled Global Group

Description
Copy link

A member was added to a security-enabled global group.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A Member Was Added To A Security-Enabled Local Group

Description
Copy link

A member was added to a security-enabled local group.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A Member Was Added To A Security-Enabled Universal Group

Description
Copy link

A member was added to a security-enabled universal group

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - An Attempt Was Made To Reset An Account’s Password

Description
Copy link

An attempt was made to reset an account’s password.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Changed

Description
Copy link

A user account was changed.

Recommendation
Copy link

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Created

Description
Copy link

A new account has been created.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations

User Behavior - A User Account Was Disabled

Description
Copy link

An account has been disabled.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Access Removal - T1531

User Behavior - A User Account Was Enabled

Description
Copy link

A previously disabled user account has been re-enabled by an administrator.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Manipulation - T1098

User Behavior - A User Account Was Locked Out

Description
Copy link

An account has been locked.

Recommendation
Copy link

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations

MITRE ATT&CK Techniques
Copy link

  • Account Access Removal - T1531

User Behavior - A User Account Was Unlocked

Description
Copy link

A previously locked user account has been unlocked by an administrator.

Recommendation
Copy link

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations