account_management | Detection.FYI

A Member Was Added to a Security-Enabled Global Group

Aug 28, 2023 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a member is added to a security-enabled global group

Read More
A Member Was Removed From a Security-Enabled Global Group

Aug 28, 2023 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a member is removed from a security-enabled global group

Read More
A Security-Enabled Global Group Was Deleted

Aug 28, 2023 · attack.persistence attack.t1098 ·
Share on:

Detects activity when a security-enabled global group is deleted

Read More
Outgoing Logon with New Credentials

Aug 28, 2023 · attack.defense_evasion attack.lateral_movement attack.t1550 ·
Share on:

Detects logon events that specify new credentials

Read More
Successful Overpass the Hash Attempt

Jun 26, 2023 · attack.lateral_movement attack.s0002 attack.t1550.002 ·
Share on:

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Read More
Admin User Remote Logon

May 2, 2023 · attack.lateral_movement attack.t1078.001 attack.t1078.002 attack.t1078.003 car.2016-04-005 ·
Share on:

Detect remote login by Administrator user (depending on internal pattern).

Read More
DiagTrackEoP Default Login Username

May 2, 2023 · attack.privilege_escalation ·
Share on:

Detects the default "UserName" used by the DiagTrackEoP POC

Read More
External Remote RDP Logon from Public IP

May 2, 2023 · attack.initial_access attack.credential_access attack.t1133 attack.t1078 attack.t1110 ·
Share on:

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More
External Remote SMB Logon from Public IP

May 2, 2023 · attack.initial_access attack.credential_access attack.t1133 attack.t1078 attack.t1110 ·
Share on:

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More
Failed Logon From Public IP

May 2, 2023 · attack.initial_access attack.persistence attack.t1078 attack.t1190 attack.t1133 ·
Share on:

A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More
KrbRelayUp Attack Pattern

May 2, 2023 · attack.privilege_escalation attack.credential_access ·
Share on:

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Read More
Login with WMI

May 2, 2023 · attack.execution attack.t1047 ·
Share on:

Detection of logins performed with WMI

Read More
Pass the Hash Activity 2

May 2, 2023 · attack.lateral_movement attack.t1550.002 ·
Share on:

Detects the attack technique pass the hash which is used to move laterally inside the network

Read More
Potential Access Token Abuse

May 2, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1134.001 ·
Share on:

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Read More
RDP Login from Localhost

May 2, 2023 · attack.lateral_movement car.2013-07-002 attack.t1021.001 ·
Share on:

RDP login with localhost source address may be a tunnelled login

Read More
Remote WMI ActiveScriptEventConsumers

May 2, 2023 · attack.lateral_movement attack.privilege_escalation attack.persistence attack.t1546.003 ·
Share on:

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Read More
RottenPotato Like Attack Pattern

May 2, 2023 · attack.privilege_escalation attack.credential_access attack.t1557.001 ·
Share on:

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Read More
Scanner PoC for CVE-2019-0708 RDP RCE Vuln

May 2, 2023 · attack.lateral_movement attack.t1210 car.2013-07-002 ·
Share on:

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Read More