Analytics Story: Compromised User Account

Date: 2023-01-19 ID: 19669154-e9d1-4a01-b144-e6592a078092 Author: Mauricio Velazco, Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Compromised User Account attacks.

Why it matters

Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Distributed Password Spray Attempts Password Spraying, Brute Force Hunting
Detect Password Spray Attempts Password Spraying, Brute Force TTP
PingID Mismatch Auth Source and Verification Response Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force TTP
PingID New MFA Method After Credential Reset Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID New MFA Method Registered For User Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Password Policy Changes Password Policy Discovery Hunting
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions Anomaly
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD High Number Of Failed Authentications For User Brute Force, Password Guessing TTP
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying TTP
Azure AD New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
Azure AD Successful Authentication From Different Ips Brute Force, Password Guessing, Password Spraying TTP
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
ASL AWS Password Policy Changes Password Policy Discovery Hunting
Detect Password Spray Attack Behavior From Source Password Spraying, Brute Force TTP
Detect Password Spray Attack Behavior On User Password Spraying, Brute Force TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Sign-in activity Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
PingID N/A XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1