Suspicious User Behavior

Description

A computer account was created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Create Account - T1136

Description

A member was added to a security-enabled global group.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A member was added to a security-enabled local group.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A member was added to a security-enabled universal group

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

An attempt was made to reset an account’s password.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A user account was changed.

Recommendation

Investigate the subject user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

A new account has been created.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720#security-monitoring-recommendations 

Description

An account has been disabled.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Access Removal - T1531

Description

A previously disabled user account has been re-enabled by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Manipulation - T1098

Description

An account has been locked.

Recommendation

Investigate the target user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740#security-monitoring-recommendations 

MITRE ATT&CK Techniques

• Account Access Removal - T1531

Description

A previously locked user account has been unlocked by an administrator.

Recommendation

Investigate the source user of this event to verify if this activity is benign or expected. Review any other suspicious activity related to this user. If necessary, lock the account and have the user change their password.

For more information on this event, follow this link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767#security-monitoring-recommendations