Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Compromised User Account attacks.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Change
  • Last Updated: 2023-01-19
  • Author: Mauricio Velazco, Bhavin Patel, Splunk
  • ID: 19669154-e9d1-4a01-b144-e6592a078092

Narrative

Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.

Detections

Name Technique Type
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS Password Policy Changes Password Policy Discovery Hunting
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Password Policy Changes Password Policy Discovery Hunting
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD High Number Of Failed Authentications For User Brute Force, Password Guessing TTP
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying TTP
Azure AD New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
Azure AD Successful Authentication From Different Ips Brute Force, Password Guessing, Password Spraying TTP
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
PingID Mismatch Auth Source and Verification Response Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force TTP
PingID New MFA Method After Credential Reset Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID New MFA Method Registered For User Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP

Reference

source | version: 1