LoFP LoFP / t1078.004

t1078.004

TitleTags
a legitimate new admin account being created
a non malicious user is unaware of the proper process
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
account disabled or blocked in error
actual admin using pim.
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrator adding a legitimate temporary access pass
administrators may legitimately create azure runbook webhooks. filter as needed.
allowed self-hosted runners changes in the environment.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
automation account has been blocked or disabled
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
false positives may occur. it is recommended to fine-tune okta settings and the analytic to ensure high fidelity. adjust the risk score as necessary.
if this was approved by system administrator or confirmed user action.
if this was approved by system administrator.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is possible that there are legitimate user roles making new or infrequently used api calls in your infrastructure, causing the search to trigger.
it's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. if the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.
it's possible that a user will start to create ec2 instances when they haven't before for any number of reasons. verify with the user that is launching instances that this is the intended behavior.
known legacy accounts
legit administrative pim setting configuration changes
legitimate user wrong password attempts.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
legtimate administrator actions of adding members from a role
many service accounts configured with your aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify whether this search alerted on a human user.
many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.
misconfigured systems
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
none.
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
service account misconfigured
service principals will legitimally authenticate remotely to your tenant. implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the azure ad environment. source ips.
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
user has been put in acception group so they can use legacy authentication
users actually login but miss-click into the deny button when mfa prompt.
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
vulnerability scanners
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
whenever an admin starts using new features of the admin console.