A profile representing a user, device, service, or application used to authenticate and access resources
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1110 | Brute Force |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. |
|
| .001 | Password Guessing |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) |
||
| .002 | Password Cracking |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) |
||
| .003 | Password Spraying |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) |
||
| .004 | Credential Stuffing |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) |
||
| Enterprise | T1538 | Cloud Service Dashboard |
Correlate other security systems with login information |
|
| Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim. |
| Enterprise | T1070 | Indicator Removal on Host |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
| .003 | Clear Command History |
Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file. |
||
| .005 | Network Share Connection Removal |
Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity. |
||
| Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism. |
|
| Enterprise | T1207 | Rogue Domain Controller |
Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[1] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete. |
|
| Enterprise | T1552 | Unsecured Credentials |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials. |
|
| .005 | Cloud Instance Metadata API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. |
||
| .007 | Container API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. |
||
| Enterprise | T1550 | Use Alternate Authentication Material |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .002 | Pass the Hash |
Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process. |
||
| .003 | Pass the Ticket |
Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. |
||
| Enterprise | T1078 | Valid Accounts |
Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
| .001 | Default Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials |
||
| .002 | Domain Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux |
||
| .003 | Local Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux |
||
| .004 | Cloud Accounts |
Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours. |
||
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1136 | Create Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
|
| .001 | Local Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
| .002 | Domain Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
| .003 | Cloud Account |
Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. |
||
| Enterprise | T1564 | Hide Artifacts |
Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .002 | Hidden Users |
Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify. |
||
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1531 | Account Access Removal |
Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
Contextual data about an account, which may include a username, user ID, environmental data, etc.
Contextual data about an account, which may include a username, user ID, environmental data, etc.
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation |
Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
| .005 | SID-History Injection |
Examine data in user’s SID-History attributes |
||
| Enterprise | T1564 | Hide Artifacts |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .002 | Hidden Users |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the |
||
| Enterprise | T1201 | Password Policy Discovery |
Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. |
|
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1531 | Account Access Removal |
Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
| Enterprise | T1098 | Account Manipulation |
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
|
| .001 | Additional Cloud Credentials |
Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. |
||
| .002 | Additional Email Delegate Permissions |
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
||
| .003 | Additional Cloud Roles |
Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. |
||
| .005 | Device Registration |
Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[3] |
||
| Enterprise | T1528 | Steal Application Access Token |
Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access. |
|