Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with Compromised User Account attacks.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Change
- Last Updated: 2023-01-19
- Author: Mauricio Velazco, Bhavin Patel, Splunk
- ID: 19669154-e9d1-4a01-b144-e6592a078092
Narrative
Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.
Detections
| Name |
Technique |
Type |
| ASL AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
Anomaly |
| ASL AWS Password Policy Changes |
Password Policy Discovery |
Hunting |
| AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
| AWS Console Login Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
| AWS High Number Of Failed Authentications For User |
Password Policy Discovery |
Anomaly |
| AWS High Number Of Failed Authentications From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
| AWS Multiple Users Failing To Authenticate From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
| AWS Password Policy Changes |
Password Policy Discovery |
Hunting |
| AWS Successful Console Authentication From Multiple IPs |
Compromise Accounts, Unused/Unsupported Cloud Regions |
Anomaly |
| Abnormally High Number Of Cloud Infrastructure API Calls |
Cloud Accounts, Valid Accounts |
Anomaly |
| Azure AD Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
| Azure AD High Number Of Failed Authentications For User |
Brute Force, Password Guessing |
TTP |
| Azure AD High Number Of Failed Authentications From Ip |
Brute Force, Password Guessing, Password Spraying |
TTP |
| Azure AD New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
| Azure AD Successful Authentication From Different Ips |
Brute Force, Password Guessing, Password Spraying |
TTP |
| Detect AWS Console Login by User from New City |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
| Detect AWS Console Login by User from New Country |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
| Detect AWS Console Login by User from New Region |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Reference
source | version: 1