Interactive local account enumeration

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Multiple non-existing accounts failed to interactive local log in to a host in a short period of time.
This may indicate an attacker has physical access to the host, and is trying to enumerate accounts.

Attacker's Goals

Discover valid accounts to gain credentials.

Investigative actions

Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.