Alert Pack: Account Manipulation (MITRE Att&ck Technique: T1098)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

Devo brings another bund of alerts that can help you to expand coverage of your signatures-based detections. This pack of detections provides coverage against MITRE technique: Account Manipulation. Account, access controls are extremely important in allowing the users and systems from causing disruption based on access levels or having accounts manipulated by attackers.

These detections will let you know when there are any issues or misconfigurations in your environment and provide an extra level of security for you and your business.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsLinuxSshAuthKeyModification	SecOpsO365UserPasswordReset	SecOpsAWSIAMCreateUserActionObserved
SecOpsAzureUserAddedNonAdminRole	SecOpsO365SusMailboxDelegation	SecOpsAWSPermissionsBoundaryLiftedtoRole
SecOpsAzureUserAddedToGlobalAdminRole	SecOpsAWSPermissionsBoundaryLiftedtoUser	SecOpsAWSSetdefaultpolicyversion
SecOpsAzureUserAddedOutsidePIMRole	SecOpsAwsEc2KeyAction	SecOpsAWSPermissionsBoundaryModifiedToRole
SecOpsGSuite2SVDisabled	SecOpsAWSCreateloginprofile	SecOpsAwsKmsSensitiveActivity
SecOpsGCPGCSBucketModified	SecOpsAWSPermissionsBoundaryModifiedToUser	SecOpsAWSNewUserPoolClientCreated
SecOpsGCPKMSKeyDestroy	SecOpsAWSUpdateloginprofile	SecOpsAwsPermanentKeyCreation
SecOpsGCPIAMServiceAccountKeyDeletion	SecOpsAWSDetectStsAssumeRoleAbuse	SecOpsWinUserAddedToLocalSecurityEnabledGroup
SecOpsGCPIAMServiceAccountKeyCreation	SecOpsAwsRoleCreated	SecOpsWinUserAddedSelfToSecGroup
SecOpsGCPKMSKeyEnabledOrDisabled	SecOpsAWSIAMDeletePolicy	SecOpsWinUserAddedPrivlegedSecGroup

What is the Account Manipulation technique?

Account Manipulation technique may consist of any actions that preserve adversary access to a compromised account, such as modifying credentials or permissions groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.office365 ^{learn more}
cloud.office365.management.exchange ^{learn more}
cloud.azure.ad.audit ^{learn more}
cloud.gsuite.reports.admin ^{learn more}
box.unix ^{learn more}
cloud.aws.cloudtrail ^{learn more}
cloud.gcp ^{learn more}
box.all.win ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.