{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["medium"],"_cs_tags":["account-takeover","credential-access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential account takeover activity by analyzing Windows Security Event Logs for unusual login patterns. Specifically, it looks for user accounts that typically log in with high frequency from a single source IP address but then exhibit successful logins from a different source IP address with significantly lower frequency. This pattern may indicate that an attacker has compromised the account credentials and is accessing the network from a new, potentially malicious, location. This activity is detected by analyzing Windows Security Event ID 4624 events related to successful logins. The rule is designed to trigger when a user account logs in from a new IP address after establishing a pattern of high-volume logins from a primary IP address.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to valid user credentials through methods such as phishing, credential stuffing, or malware. (T1078)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Logon:\u003c/strong\u003e The attacker uses the compromised credentials to successfully log in to a Windows system from a new IP address (Event ID 4624, Logon Type Network/RemoteInteractive).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Possible):\u003c/strong\u003e Once authenticated, the attacker may attempt to move laterally within the network to access additional resources or systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Possible):\u003c/strong\u003e The attacker may attempt to escalate their privileges to gain administrative access to the system or domain (TA0004).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Possible):\u003c/strong\u003e The attacker may attempt to exfiltrate sensitive data from the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Possible):\u003c/strong\u003e The attacker may attempt to establish persistence mechanisms to maintain access to the system or network over time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account takeover can have significant consequences, including unauthorized access to sensitive data, lateral movement within the network, privilege escalation, and data exfiltration. The rule specifically looks for logon patterns indicative of account takeover. If an account is taken over, attackers could potentially gain access to systems and data the user has rights to access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM and tune for your environment, paying close attention to the \u003ccode\u003emax_logon\u003c/code\u003e threshold.\u003c/li\u003e\n\u003cli\u003eEnable Audit Logon within Windows to ensure the events needed for detection are available as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by confirming with the account owner if they logged in from the new source IP.\u003c/li\u003e\n\u003cli\u003eCheck the new source IP for reputation, geography, and whether it is expected as described in the rule\u0026rsquo;s triage steps.\u003c/li\u003e\n\u003cli\u003eCorrelate any generated alerts with other alerts for the same user or source IP such as logon failures, password changes, or MFA changes as part of your investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-account-takeover-new-source-ip/","summary":"The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.","title":"Potential Account Takeover - Logon from New Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-account-takeover-new-source-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic\u0026rsquo;s detection ruleset, is designed to identify potential user account compromises by aggregating and analyzing existing alert data. The rule focuses on scenarios where a single user triggers multiple distinct alerts, suggesting a higher likelihood of malicious activity. By excluding low-severity alerts and known system accounts, the rule aims to minimize false positives and prioritize investigations. This approach is particularly useful in environments where attackers may attempt to blend in with normal user activity while escalating privileges or moving laterally within the network. The rule utilizes esql to correlate alerts based on user ID. The rule was last updated on 2026/04/27.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as discovering sensitive files or network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive data, potentially exfiltrating it from the network.\u003c/li\u003e\n\u003cli\u003eThese actions trigger various security alerts related to privilege escalation, lateral movement, and data access.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Multiple Alerts Involving a User\u0026rdquo; rule detects the correlation between these alerts based on the user ID.\u003c/li\u003e\n\u003cli\u003eSecurity analysts are alerted to investigate the compromised user account and contain the potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging a compromised user account can lead to significant data breaches, financial losses, and reputational damage. The impact can range from unauthorized access to sensitive data to the complete takeover of critical systems. By identifying compromised user accounts early, organizations can mitigate the potential damage and prevent further escalation of the attack. This detection rule helps prioritize investigations and ensures that security analysts focus on the most critical threats.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple Alerts Involving a User\u003c/code\u003e to your SIEM to detect potential user account compromises based on correlated alerts.\u003c/li\u003e\n\u003cli\u003eEnable audit logging on systems to capture user activity and generate alerts for suspicious actions.\u003c/li\u003e\n\u003cli\u003eReview and tune the threshold values (e.g., distinct alert count) in the Sigma rule to align with your environment and risk tolerance.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eResources: Investigation Guide\u003c/code\u003e tag to access guidance on investigating triggered alerts and identifying compromised user accounts.\u003c/li\u003e\n\u003cli\u003eImplement role-based access control (RBAC) to minimize the impact of compromised accounts by limiting access to sensitive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-multiple-alerts-user/","summary":"This rule identifies when multiple different alerts involving the same user are triggered, which could indicate a compromised user account and requires further investigation.","title":"Multiple Alerts Involving a User Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-24-multiple-alerts-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["kerberoasting","credential_access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets. Attackers often use this technique to perform Kerberoasting, where they obtain service tickets for various service principal names (SPNs) and crack the associated service account passwords offline. This activity can be indicative of an attacker attempting to gain unauthorized access to sensitive resources within the network. The rule is designed to trigger on potentially malicious uses of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e while attempting to filter out legitimate uses, such as those within Sentinel breakpoints or authorized Kerberos diagnostic scripts. Defenders should investigate any instances of this activity to determine whether it represents a genuine threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through phishing, compromised credentials, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes a PowerShell script, either interactively or via a scheduled task or other means of remote execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation (Optional):\u003c/strong\u003e The PowerShell script may be obfuscated to evade detection, using techniques such as Base64 encoding or string manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTicket Request:\u003c/strong\u003e The script uses the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets for one or more SPNs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The script collects the requested service tickets and potentially saves them to a file or transmits them over the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker extracts the Kerberos hashes from the collected tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker uses tools like John the Ripper or Hashcat to crack the service account passwords offline.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e Upon successfully cracking the passwords, the attacker uses the compromised credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberoasting attacks can lead to the compromise of service accounts, potentially granting attackers unauthorized access to critical systems and sensitive data. The impact can range from data breaches and financial losses to complete system compromise and disruption of business operations. The rule\u0026rsquo;s medium severity reflects the potential for significant impact if the attack succeeds.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the PowerShell script content necessary for detection, and ensure the logs are being ingested into your SIEM. Reference: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003eSetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Request\u0026rdquo; to your SIEM to detect suspicious use of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e in PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on reconstructing the full script content, identifying the targeted SPNs, and analyzing the process execution context to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eReview Windows Security event logs on domain controllers for event ID 4769, filtering for the \u003ccode\u003eTargetUserName\u003c/code\u003e associated with the alerting user to identify related Kerberos ticket requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:45:00Z","date_published":"2024-01-09T18:45:00Z","id":"/briefs/2024-01-09-kerberos-ticket-request/","summary":"This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.","title":"PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kerberos-ticket-request/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["threat-detection","higher-order-rule","attack"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule correlates multiple security alerts associated with the same ATT\u0026amp;CK tactic on a single host within a defined time window (60 minutes). The purpose of this rule is to identify hosts exhibiting concentrated malicious behavior, which may indicate an active intrusion or post-compromise activity. This allows analysts to prioritize triage towards hosts with a higher likelihood of compromise. The rule specifically excludes noisy tactics such as Discovery, Persistence, and Lateral Movement, focusing instead on tactics like Credential Access, Defense Evasion, Execution, and Command and Control. It requires at least three unique detection rules to trigger, ensuring that the activity is not a single, isolated event. The rule also excludes alerts generated by Machine Learning and Threat Match rules, as well as some noisy rules such as \u0026ldquo;Agent Spoofing - Mismatched Agent ID\u0026rdquo; and \u0026ldquo;Process Termination followed by Deletion\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a host through methods like exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious code on the compromised host, potentially using tools like PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to evade detection by disabling security controls or obfuscating their actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to steal credentials from the compromised host, such as passwords or Kerberos tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation:\u003c/strong\u003e The attacker uses the compromised host to move laterally within the network, potentially targeting other systems or data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from the network or causes damage to systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, financial losses, and reputational damage. By identifying hosts exhibiting multiple alerts related to the same ATT\u0026amp;CK tactic, organizations can proactively respond to potential intrusions before they escalate into more serious incidents. Failure to detect and respond to these types of attacks can result in widespread compromise and significant disruption to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect hosts exhibiting multiple alerts within the same ATT\u0026amp;CK tactic. Tune the rule to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts that trigger the Sigma rule to determine the root cause of the alerts and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and update your existing detection rules to ensure they are effective at detecting the latest threats and tactics.\u003c/li\u003e\n\u003cli\u003eEnable logging for process creation, network connections, and file modifications to provide more visibility into host activity and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eImplement a vulnerability management program to identify and patch vulnerabilities on your systems to prevent attackers from gaining initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-alerts-same-tactic/","summary":"This rule correlates multiple security alerts associated with the same ATT\u0026CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.","title":"Multiple Alerts in Same ATT\u0026CK Tactic by Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-alerts-same-tactic/"}],"language":"en","title":"CraftedSignal Threat Feed — Elastic Security","version":"https://jsonfeed.org/version/1.1"}