Security Detection Update – 2025-1-22

New Detections

This update introduces:

Disabled Account Attempted Login

This detection monitors for failed windows logins due to the targeted account being disabled. This may be related to legitimate activity, but is unusual in most environments and could be evidence of unauthorized access attempts. Additionally, multiple failed login attempts for the built-in "Guest" account should be considered suspicious, as this account is disabled by default in modern Windows systems and is commonly targeted by attackers during reconnaissance activities. Vulnerability scanners (such as Qualys or Nessus) may also generate findings.

• Status: Default Disabled
• Log type requirement: Windows

Microsoft 365: New MFA Device Added

When at least one user who has registered an additional MFA method(s). This may be part of a natural onboarding or account reset procedure. Malicious actors have been known to add their own MFA devices under their control in order to maintain access to an account and respond to MFA prompts without user interaction.

• Status: Enabled
• Log type requirement: MS365 AD/Entra

Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts

When file artifacts are detected matching those seen in active attacks related to Cleo CVE-2024-55956

• Status: Enabled
• Log type requirement: Windows, Blumira Agent for Windows
• For more information, see Vulnerabilities in Cleo Software Allow for Unauthenticated Remote Code Execution via CVE-2024-55956