Account Compromise
The Account Compromise Detector identifies an account that exhibits signs of being taken over by a threat actor. The detector combines multiple entities related to user login and post-login behavior to deliver a more comprehensive view of account behavior and produce more true positives. If multiple suspicious actions are seen, it is more likely that the account is being used by a threat actor. Entities are provided to the Account Compromise Detector by other Secureworks® Taegis™ XDR detectors including Password Spray and Kerberoasting.
Account Compromise Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Password Spray Detector detections
- Kerberoasting detections
- Logons from a user with anomalous characteristics (e.g., rare country/ASN based on user’s past activity, which is also abnormal for other users in the company)
Inputs ⫘
Detections are from the following normalized sources:
- Auth
Outputs ⫘
Alerts are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Defense Evasion, Persistence, Privilege Escalation, Initial Access - Valid Accounts. For more information, see MITRE Technique T1078.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:account-compromise-aggregator'
References ⫘
- Detectors
- Schemas