Remote account enumeration

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

Multiple non-existing accounts failed to remotely log in to a host in a short period of time.
This may indicate an attacker is trying to remotely enumerate accounts.

Attacker's Goals

Discover valid accounts to gain credentials.

Investigative actions

Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

Variations

Suspicious Remote domain account enumeration

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Multiple non-existing accounts failed to remotely log in to a host in a short period of time.
This may indicate an attacker is trying to remotely enumerate accounts.

Attacker's Goals

Discover valid accounts to gain credentials.

Investigative actions

Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.


Remote account enumeration on domain accounts

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Multiple non-existing accounts failed to remotely log in to a host in a short period of time.
This may indicate an attacker is trying to remotely enumerate accounts.

Attacker's Goals

Discover valid accounts to gain credentials.

Investigative actions

Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.