Alert Pack: Valid Accounts (MITRE Att&ck Technique: T1078)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

Once an attacker gets access to a valid account and uses that account for their will, then your company could have significant disruptions. Proper accounts can lead to various attacks across the MITRE framework resulting in gaining Initial Access, Persistence, Privilege Escalation, and Defense Evasion. Knowing this, Devo had to create detections to help your SOC understand when valid accounts are compromised.

These detections will help lower your MTTR for these events by providing you with real-time updates from these accounts so that the appropriate action can be taken. Download them today, and improve your coverage.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsSimultaneouslyLoginbyIP	SecOpsGSuiteLoginAccountWarning	SecOpsAWSDetectStsAssumeRoleAbuse
SecOpsSimultaneouslyLoginbyUser	SecOpsGSuiteMobileSuspiciousActivity	SecOpsAWSRootLogin
SecOpsLinuxAuditdMaxFailedLoginAttempts	SecOpsGSuiteGovernmentAttackWarning	SecOpsAWSUserSuccessfulLoginWithoutMFA
SecOpsLinuxIrregularLogin	SecOpsGCPIAMCustomRoleCreation	SecOpsAwsDbSnapshotCreated
SecOpsLinuxMaxSessionsPerUser	SecOpsGCPDetectAccountsWithHighRiskRolesByProject	SecOpsAWSPermissionsBoundaryLiftedtoRole
SecOpsAzureAutoAccountCreated	SecOpsO365UserPasswordChange	SecOpsAWSSetdefaultpolicyversion
SecOpsAzureUserLoginSuspiciousRisk	SecOpsAWSSamlAccess	SecOpsAwsUnapprovedUserApiActivity
SecOpsAzureImpossibleTravel	SecOpsAWSPermissionsBoundaryLiftedtoUser	SecOpsAWSPermissionsBoundaryModifiedToRole
SecOpsAzureUserHighRiskSignIn	SecOpsAWSCreateloginprofile	SecOpsAWSIamSuccessfulGroupDeletion
SecOpsAzureUserHighAggregateRiskSignIn	SecOpsAWSPermissionsBoundaryModifiedToUser	SecOpsWinAdminRemoteLogon
SecOpsAzureUserConfirmedCompromised	SecOpsAWSUpdateloginprofile	SecOpsWinExcessiveUserInteractiveLogin

What are Valid Accounts?

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence

Prerequisites

To use this alert pack you must have the following data sources available in your domain:

cloud.office365 ^{learn more}
cloud.gsuite.reports.login ^{learn more}
auth.all ^{learn more}
cloud.azure.ad.signin ^{learn more}
cloud.gsuite.alerts ^{learn more}
box.unix ^{learn more}

cloud.gcp ^{learn more}
cloud.aws.cloudtrail ^{learn more}
cloud.gsuite.reports.mobile ^{learn more}
box.all.win ^{learn more}
cloud.azure.eh.events ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.