Abnormal User Login to Domain Controller

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

Attacker's Goals

A malicious user may attempt to access a domain controller to access and control Active Directory.

Investigative actions

  • Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
  • Check if the user is a service account that accesses a domain controller as part of its normal behavior.
  • Verify that the user is not authenticating to group policy.

Variations

Rare RDP User Login to Domain Controller by an Abnormal Department

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

Attacker's Goals

A malicious user may attempt to access a domain controller to access and control Active Directory.

Investigative actions

  • Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
  • Check if the user is a service account that accesses a domain controller as part of its normal behavior.
  • Verify that the user is not authenticating to group policy.


Abnormal RDP User Login to Domain Controller

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

Attacker's Goals

A malicious user may attempt to access a domain controller to access and control Active Directory.

Investigative actions

  • Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
  • Check if the user is a service account that accesses a domain controller as part of its normal behavior.
  • Verify that the user is not authenticating to group policy.


RDP User Login to Domain Controller

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

Attacker's Goals

A malicious user may attempt to access a domain controller to access and control Active Directory.

Investigative actions

  • Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
  • Check if the user is a service account that accesses a domain controller as part of its normal behavior.
  • Verify that the user is not authenticating to group policy.


Abnormal User Login to Domain Controller by an Abnormal Department

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

Attacker's Goals

A malicious user may attempt to access a domain controller to access and control Active Directory.

Investigative actions

  • Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
  • Check if the user is a service account that accesses a domain controller as part of its normal behavior.
  • Verify that the user is not authenticating to group policy.