Analytics Story: Compromised Windows Host

Description

Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, data theft, malware infections, or unauthorized access, posing risks to sensitive information and system integrity.

Why it matters

In a scenario of digital compromise, a Windows host becomes the target of sophisticated cyber attacks. Utilizing advanced persistent threat (APT) techniques, attackers bypass security measures and exploit system vulnerabilities to gain unauthorized access. Once inside the network, they execute a series of malicious activities, including exfiltrating sensitive data, deploying malware, and undermining the integrity of the cybersecurity infrastructure.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Crowdstrike Admin Weak Password Policy Brute Force TTP
Crowdstrike Admin With Duplicate Password Brute Force TTP
Crowdstrike High Identity Risk Severity Brute Force TTP
Crowdstrike Medium Identity Risk Severity Brute Force TTP
Crowdstrike Medium Severity Alert Brute Force Anomaly
Crowdstrike Multiple LOW Severity Alerts Brute Force Anomaly
Crowdstrike Privilege Escalation For Non-Admin User Brute Force Anomaly
Crowdstrike User Weak Password Policy Brute Force Anomaly
Crowdstrike User with Duplicate Password Brute Force Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼

References


Source: GitHub | Version: 1