A profile representing a user, device, service, or application used to authenticate and access resources
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1110 | Brute Force |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. |
|
.001 | Password Guessing |
Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts.[1] |
||
.002 | Password Cracking |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) |
||
.003 | Password Spraying |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.[1] |
||
.004 | Credential Stuffing |
Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.[1] |
||
Enterprise | T1538 | Cloud Service Dashboard |
Correlate other security systems with login information, such as user accounts, IP addresses, and login names.[1] |
|
Enterprise | T1212 | Exploitation for Credential Access |
Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen. |
|
Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim. |
Enterprise | T1070 | Indicator Removal |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.003 | Clear Command History |
Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file. |
||
.005 | Network Share Connection Removal |
Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity. |
||
Enterprise | T1556 | Modify Authentication Process |
Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. |
|
.006 | Multi-Factor Authentication |
Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. |
||
Enterprise | T1621 | Multi-Factor Authentication Request Generation |
Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism. |
|
Enterprise | T1207 | Rogue Domain Controller |
Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[2] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete. |
|
Enterprise | T1552 | Unsecured Credentials |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials. |
|
.005 | Cloud Instance Metadata API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. |
||
.007 | Container API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. |
||
Enterprise | T1550 | Use Alternate Authentication Material |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
.002 | Pass the Hash |
Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process. |
||
.003 | Pass the Ticket |
Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. |
||
Enterprise | T1078 | Valid Accounts |
Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
.001 | Default Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials |
||
.002 | Domain Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux Note:
|
||
.003 | Local Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux. Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including |
||
.004 | Cloud Accounts |
Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account, account usage at atypical hours, or account authentication from unexpected locations or IP addresses. Service accounts should only be accessible from IP addresses from within the cloud environment.[3] For example, in Azure AD environments, consider using Identity Protection to flag risky sign-ins based on location, device compliance, and other factors. In Okta environments, configure Suspicious Activity Reporting to allow users to report suspicious logins and other behavior they do not recognize.[4] |
||
ICS | T0859 | Valid Accounts |
Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1136 | Create Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
|
.001 | Local Account |
Monitor for newly constructed user and service accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network, a Kubernetes cluster, or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
.002 | Domain Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
.003 | Cloud Account |
Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts, such as accounts that do not follow specified naming conventions or accounts created by unapproved users or sources.[5] Monitor for newly created admin accounts that go over a certain threshold of known admins. |
||
Enterprise | T1564 | Hide Artifacts |
Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.002 | Hidden Users |
Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify. |
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1531 | Account Access Removal |
Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
Enterprise | T1070 | Indicator Removal |
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. |
|
.009 | Clear Persistence |
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. |
Contextual data about an account, which may include a username, user ID, environmental data, etc.
Contextual data about an account, which may include a username, user ID, environmental data, etc.
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
.005 | SID-History Injection |
Examine data in user’s SID-History attributes |
||
Enterprise | T1564 | Hide Artifacts |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.002 | Hidden Users |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the |
||
Enterprise | T1556 | .005 | Modify Authentication Process: Reversible Encryption |
Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.[7] |
Enterprise | T1201 | Password Policy Discovery |
Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. |
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken. |
|
.005 | Temporary Elevated Cloud Access |
Log API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken. |
||
Enterprise | T1531 | Account Access Removal |
Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
Enterprise | T1098 | Account Manipulation |
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
|
.001 | Additional Cloud Credentials |
Monitor for unexpected changes to cloud user accounts, such as Azure Activity Logs highlighting malicious Service Principal and Application modifications. Monitor for the use of API and CLI commands that add access keys or tokens to accounts, such as |
||
.002 | Additional Email Delegate Permissions |
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
||
.003 | Additional Cloud Roles |
Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. Monitor for updates to IAM policies and roles attached to user accounts. |
||
.005 | Device Registration |
Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[8] |
||
.006 | Additional Container Cluster Roles |
Collect usage logs from accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to high-privileged cluster roles that go over a certain threshold of known admins. |
||
Enterprise | T1562 | Impair Defenses |
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
|
.008 | Disable or Modify Cloud Logs |
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
||
Enterprise | T1556 | Modify Authentication Process |
Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. |
|
.006 | Multi-Factor Authentication |
Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts.[1] Additionally, monitor for attempts to change or reset users’ MFA factor settings. For example, in Okta environments, the event |
||
Enterprise | T1528 | Steal Application Access Token |
Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access. |