A profile representing a user, device, service, or application used to authenticate and access resources
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0859 | Valid Accounts |
Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
| Enterprise | T1538 | 云服务控制面板 |
Correlate other security systems with login information, such as user accounts, IP addresses, and login names.[1] |
|
| Enterprise | T1606 | .002 | 伪造Web凭证: SAML Tokens |
Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim. |
| Enterprise | T1207 | 伪造域控制器 |
Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[2] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete. |
|
| Enterprise | T1550 | 使用备用认证材料 |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .002 | Pass the Hash |
Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process. |
||
| .003 | Pass the Ticket |
Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. |
||
| Enterprise | T1556 | 修改身份验证过程 |
Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. Analytic 1 - Windows Successful logons without MFA.
Analytic 2 - Linux Successful logons without MFA.
|
|
| .006 | Multi-Factor Authentication |
Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. |
||
| Enterprise | T1212 | 凭据访问漏洞利用 |
Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen. Analytic 1 - High number of failed authentication attempts or unusual logon patterns.
|
|
| Enterprise | T1621 | 多因素身份验证请求生成 |
Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism. Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts, high failure rates
|
|
| Enterprise | T1110 | 暴力破解 |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Analytic 1 - Multiple failed logon attempts across different accounts.
|
|
| .001 | Password Guessing |
Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts.[1] Analytic 1 - Multiple failed logon attempts across different accounts.
|
||
| .002 | Password Cracking |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379) Analytic 1 - Multiple failed logon attempts across different accounts.
|
||
| .003 | Password Spraying |
Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.[1] Analytic 1 - Multiple failed logon attempts across different accounts, especially targeting common usernames.
|
||
| .004 | Credential Stuffing |
Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.[1] Analytic 1 - Multiple failed logon attempts across different accounts, especially using commonly used passwords.
|
||
| Enterprise | T1078 | 有效账户 |
Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
| .001 | Default Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials |
||
| .002 | Domain Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux Note:
|
||
| .003 | Local Accounts |
Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux. Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including |
||
| .004 | Cloud Accounts |
Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account, account usage at atypical hours, or account authentication from unexpected locations or IP addresses. Service accounts should only be accessible from IP addresses from within the cloud environment.[3] For example, in Azure AD environments, consider using Identity Protection to flag risky sign-ins based on location, device compliance, and other factors. In Okta environments, configure Suspicious Activity Reporting to allow users to report suspicious logins and other behavior they do not recognize.[4] Analytic 1 - Anomalous IP addresses, unmanaged devices, unusual User Agents indicating automation tools or scripts Note: To detect suspicious logins to cloud accounts using valid credentials from unusual sources.
|
||
| Enterprise | T1552 | 未加密凭证 |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials. Analytic 1 - Failed or unusual logon attempts using compromised credentials.
|
|
| .005 | Cloud Instance Metadata API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. Analytic 1 - Failed or unusual logon attempts using compromised credentials.
|
||
| .007 | Container API |
It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts. Analytic 1 - Failed or unusual logon attempts using compromised credentials.
|
||
| Enterprise | T1070 | 移除指标 |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
| .003 | Clear Command History |
Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file. |
||
| .005 | Network Share Connection Removal |
Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity. |
||
| Enterprise | T1119 | 自动化收集 |
Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell. Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices
|
|
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts. |
|
| .010 | Masquerade Account Name |
Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts. |
||
| Enterprise | T1136 | 创建账户 |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
|
| .001 | Local Account |
Monitor for newly constructed user and service accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network, a Kubernetes cluster, or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
| .002 | Domain Account |
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
||
| .003 | Cloud Account |
Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts, such as accounts that do not follow specified naming conventions or accounts created by unapproved users or sources.[5] Monitor for newly created admin accounts that go over a certain threshold of known admins. Analytic 1 - Unusual ActorPrincipalNames, creation of accounts with suspicious properties
|
||
| Enterprise | T1564 | 隐藏伪装 |
Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .002 | Hidden Users |
Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify. |
||
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1070 | 移除指标 |
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. |
|
| .009 | Clear Persistence |
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. |
||
| Enterprise | T1531 | 账号访问移除 |
Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
Contextual data about an account, which may include a username, user ID, environmental data, etc.
Contextual data about an account, which may include a username, user ID, environmental data, etc.
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1556 | .005 | 修改身份验证过程: Reversible Encryption |
Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.[6] |
| Enterprise | T1201 | 密码策略发现 |
Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. |
|
| Enterprise | T1134 | 访问令牌操控 |
Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
| .005 | SID-History Injection |
Examine data in user’s SID-History attributes |
||
| Enterprise | T1564 | 隐藏伪装 |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .002 | Hidden Users |
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the |
||
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1556 | 修改身份验证过程 |
Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Analytic 1 - Unauthorized modification of user accounts Windows (User Account Modification)
Analytic 2 - macOS/Linux (User Account Modification)
|
|
| .006 | Multi-Factor Authentication |
Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts.[1] Additionally, monitor for attempts to change or reset users’ MFA factor settings. For example, in Okta environments, the event Analytic 1 - Unusual registration of MFA devices, changes to StrongAuthenticationPhoneAppDetail properties.
|
||
| Enterprise | T1562 | 妨碍防御 |
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
|
| .008 | Disable or Modify Cloud Logs |
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
||
| Enterprise | T1548 | 滥用权限提升控制机制 |
Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken. |
|
| .005 | Temporary Elevated Cloud Access |
Log API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken. |
||
| Enterprise | T1528 | 窃取应用访问令牌 |
Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users. Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps. Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access. Analytic 1 - Unauthorized app permissions or unusual activity patterns in app logs.
|
|
| Enterprise | T1098 | 账号操控 |
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
|
| .001 | Additional Cloud Credentials |
Monitor for unexpected changes to cloud user accounts, such as Azure Activity Logs highlighting malicious Service Principal and Application modifications. Monitor for the use of API and CLI commands that add passwords, access keys, or tokens to accounts, such as |
||
| .002 | Additional Email Delegate Permissions |
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
||
| .003 | Additional Cloud Roles |
Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. Monitor for updates to IAM policies and roles attached to user accounts. Analytic 1 - Unusual ActorPrincipalNames, unexpected role assignments to sensitive roles (e.g., Global Admin) Note: To detect the assignment of additional cloud roles using potentially hijacked accounts.
|
||
| .005 | Device Registration |
Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[9] |
||
| .006 | Additional Container Cluster Roles |
Collect usage logs from accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to high-privileged cluster roles that go over a certain threshold of known admins. |
||
| .007 | Additional Local or Domain Groups |
Monitor events for changes to account objects and/or permissions on systems and the domain. Monitor for modification of account permissions in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts or machine accounts being unexpectedly added into security groups. Monitor for accounts assigned to admin roles, such as Windows domain administrators, that go over a certain threshold of known admins. |
||
| Enterprise | T1531 | 账号访问移除 |
Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|