Document toolboxDocument toolbox

Alert Pack: Account Manipulation (MITRE Att&ck Technique: T1098)

Purpose

Devo brings another bund of alerts that can help you to expand coverage of your signatures-based detections. This pack of detections provides coverage against MITRE technique: Account Manipulation. Account, access controls are extremely important in allowing the users and systems from causing disruption based on access levels or having accounts manipulated by attackers.

These detections will let you know when there are any issues or misconfigurations in your environment and provide an extra level of security for you and your business.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsLinuxSshAuthKeyModification

SecOpsO365UserPasswordReset

SecOpsAWSIAMCreateUserActionObserved

SecOpsAzureUserAddedNonAdminRole

SecOpsO365SusMailboxDelegation

SecOpsAWSPermissionsBoundaryLiftedtoRole

SecOpsAzureUserAddedToGlobalAdminRole

SecOpsAWSPermissionsBoundaryLiftedtoUser

SecOpsAWSSetdefaultpolicyversion

SecOpsAzureUserAddedOutsidePIMRole

SecOpsAwsEc2KeyAction

SecOpsAWSPermissionsBoundaryModifiedToRole

SecOpsGSuite2SVDisabled

SecOpsAWSCreateloginprofile

SecOpsAwsKmsSensitiveActivity

SecOpsGCPGCSBucketModified

SecOpsAWSPermissionsBoundaryModifiedToUser

SecOpsAWSNewUserPoolClientCreated

SecOpsGCPKMSKeyDestroy

SecOpsAWSUpdateloginprofile

SecOpsAwsPermanentKeyCreation

SecOpsGCPIAMServiceAccountKeyDeletion

SecOpsAWSDetectStsAssumeRoleAbuse

SecOpsWinUserAddedToLocalSecurityEnabledGroup

SecOpsGCPIAMServiceAccountKeyCreation

SecOpsAwsRoleCreated

SecOpsWinUserAddedSelfToSecGroup

SecOpsGCPKMSKeyEnabledOrDisabled

SecOpsAWSIAMDeletePolicy

SecOpsWinUserAddedPrivlegedSecGroup

 

What is the Account Manipulation technique?

Account Manipulation technique may consist of any actions that preserve adversary access to a compromised account, such as modifying credentials or permissions groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.