Abnormally High Number of Endpoint Changes By User

Description

Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise, Ransomware

Alert Volume

Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.

SPL Difficulty

Advanced

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Defense Evasion

MITRE ATT&CK Techniques

Modify Existing Service
Modify Registry
File and Directory Permissions Modification

Windows Service

MITRE Threat Groups

APT19
APT3
APT32
APT41
Blue Mockingbird
Carbanak
Cobalt Group
DarkVishnya
FIN7
Honeybee
Ke3chang
Kimsuky
Lazarus Group
PROMETHIUM
Threat Group-3390
Tropic Trooper
Wizard Spider

Data Sources

Endpoint Detection and Response