AD account compromised accounts signs.
Are there any specific metrics or events you would use in traditional on-prem AD to alert that an account may have been compromised? What kind of red flags would you look for, or what specific patterns do monitoring tools look for in terms of account takeover? Many organisations are removing maximum password age settings from domain policies, and account owners are encouraged to only manual initiate a password change if they or the organisation they work for suspect the account and password has been compromised, my query is:
1.How would the users themselves identify situations where their on-prem AD account may of been compromised?
2.What are the classic signs of compromised accounts that the IT/cyber department could alert on themselves to flag possible compromised AD accounts across all user accounts?
3.Are there any other events internal/external that may warrant manual password change for individual users or a section of users?
What type of access do your user accounts have?Well the accounts are synchronised accounts, so they govern access to things such as on-prem shared network drives on file servers, some of these directories will definitely store personal and sensitive documents. And obviously other cloud based 365 file stores such as the users mailbox, any shared mailboxes they have been granted access too, SharePoint online team sites, some of the line of business applications are integrated with AD users and groups for permissions – so just your usual office type setup in any business whereby employees access company information which always has some form of sensitivity. Other applications are ‘protected’ by additional authentication processes and different explicit credentials.
The behavioural based analysis makes sense, as does failed login attempts. The main nature of concern is many IT sections encourage users to initiate a password change if they feel their account has been compromised, but they don't really have sight of the event log data that may alert them to the fact their account may have been compromised, so how would they ever really know? I know there are such sites as https://haveibeenpwned.com/ for their business and personal accounts that I suppose they could be encouraged to check routinely..
Nature of concern?
As was pointed,restrictions, enabling auditing, logon/logoff script to keep track when and where a user logged in.
Logon to as logon times as McKnife ..
If it is industry specific, looking at failed access attempts..