FlexibleIR | AI War Room Exercise

LoginFromDisabledAccount PendingMedium

0% Completion 00:00:00

CEO

CFO

CISO

Initial Analysis 0/17	Remediation 0/8
Role Identify source username trying to login Start Role Identify application/destination address it is trying to login Start Role Check AD to which the account is authenticating to Start Role Identify from where the user is logging in Start Role Identify the source user details Start Role Identify last login time observed from this user Start Role Identify reason why account disabled Start Role Check if login is successful login or a failed attempt Start Role Identify logon type - interactive login or network login etc. Start Role If login attempt is failed login attempt - identify the error code noticed and reason captured Start Role From last 7 days logs, identify when user was disabled , post the account was disabled was the account was enabled back. Account disabled - windows logs (event ID 4725) and account enabled - windows logs(event id 4722) Start Role If above steps events seen - identify User who has disabled/enabled. Check if user has elevated any privileges Start Role From the last 24 hour logs identify if the disabled account has any password reset attempts or any password never set to expire enabled Start Role From the last 24 hour logs, identify if there are any Phishing emails or spam email received by user and if any attachments downloaded Start Role From the last 24 hour logs, identify if there are any suspicious process running Start Role From the last 24 hour logs, identify if there are any unwanted software installations noticed Start Role From the last 24 hour logs identify if there are any AV infections noticed Start	Role If user is on long vacation and returned - alert as false positive Start Role Check reason why user account is disabled and the reason for these login attempts Start Role If user is not part of organisation - recommended to delete user account Start Role If the user is still a part of organization, and if any phishing or spam emails are detected - recommended to block the sender email address on the email gateway Start Role If any unwanted software installation noticed - recommended to delete the unwanted software Start Role If any suspicious process detected - recommended to kill the process Start Role If AV infections noticed - run a full AV scan Start Role Good practise - monthly review of all disabled accounts and delete the unwanted or unused accounts Start

Initial Analysis 0/17

Remediation 0/8

Role

Identify source username trying to login

Start

Role

Identify application/destination address it is trying to login

Start

Role

Check AD to which the account is authenticating to

Start

Role

Identify from where the user is logging in

Start

Role

Identify the source user details

Start

Role

Identify last login time observed from this user

Start

Role

Identify reason why account disabled

Start

Role

Check if login is successful login or a failed attempt

Start

Role

Identify logon type - interactive login or network login etc.

Start

Role

If login attempt is failed login attempt - identify the error code noticed and reason captured

Start

Role

From last 7 days logs, identify when user was disabled , post the account was disabled was the account was enabled back. Account disabled - windows logs (event ID 4725) and account enabled - windows logs(event id 4722)

Start

Role

If above steps events seen - identify User who has disabled/enabled. Check if user has elevated any privileges

Start

Role

From the last 24 hour logs identify if the disabled account has any password reset attempts or any password never set to expire enabled

Start

Role

From the last 24 hour logs, identify if there are any Phishing emails or spam email received by user and if any attachments downloaded

Start

Role

From the last 24 hour logs, identify if there are any suspicious process running

Start

Role

From the last 24 hour logs, identify if there are any unwanted software installations noticed

Start

Role

From the last 24 hour logs identify if there are any AV infections noticed

Start

Role

If user is on long vacation and returned - alert as false positive

Start

Role

Check reason why user account is disabled and the reason for these login attempts

Start

Role

If user is not part of organisation - recommended to delete user account

Start

Role

If the user is still a part of organization, and if any phishing or spam emails are detected - recommended to block the sender email address on the email gateway

Start

Role

If any unwanted software installation noticed - recommended to delete the unwanted software

Start

Role

If any suspicious process detected - recommended to kill the process

Start

Role

If AV infections noticed - run a full AV scan

Start

Role

Good practise - monthly review of all disabled accounts and delete the unwanted or unused accounts

Start

LoginFromDisabledAccount PendingMedium

Exercise Access Required