Project Name: Account Transaction Use Cases
Description: – Account Transaction Use Cases are proved to be helpful in common UEBA scenarios where attackers are adopting unique procedure and evade defenses of enterprises. Cyber threat hunting will always play an important role to identify such sophisticated attacks. Lets understand Top 25 UEBA use cases which will help all hunting hypothesis for evaluation.
Author: Rohit D Sadgune / Amruta Sadgune
FAQ:-
- Top 25 UEBA use cases
- UEBA hunting
- Account transaction hunting scenario
- Threat hunting over user activity
- Threat detection over account anomaly
- Threat hunting with account transaction logs
- Threat hunting with SIEM Use Cases
Understanding User Accounts
- Local User Accounts: – Stored in Security Account Manager (SAM) of system and can be used specific to that system.
- Domain User Accounts: – Stored in Domain controller and can be used on any machine which falls under that DC.
How UEBA Use Cases helps
Compromised user accounts – In most of the hunting scenarios the primary use case for UEBA is in the event that a user has their account compromised. In this case, UEBA can detect the account which is performing unusual activities, such as retrieving classified information that the user doesn’t normally try to access and then alert to SOC for investigation.
Data theft – Account Transaction Use Cases is also good at preventing, or at least minimizing data theft. It is highly effective in identifying when a user is downloading data that they normally shouldn’t be allowed to. In this case, the offense typically won’t be sent until the adversary has already accessed and downloaded the data. Once it is triggered, respective admin can disable user account for any further transactions.
Compromised hosts – Threat detection over account anomaly will not only detect a compromised user account, but it can detect when a host is compromised. The common criteria for this is malware infection. If the compromised host is observed with unusual behavior, an alert will go off to a SOC person to investigate.
Insider threats – User Level SIEM Use Cases helps a lot in detection / hunting Insider Threat. Most of the employees have access to sensitive data as a part of their normal job or day to day activity. This means that if an employee makes up mind to “go rogue,” it’s difficult to stop them from retrieving this sensitive or classified data. However, account level use cases will be able to discover when their behavior varies from the normal.
Account Transaction SIEM Use Cases
- If a user is in the privileged group and trying to authenticate to distinct critical servers and fails, then hunt the same user for successful authentication to the same critical server within the next thirty minutes. If there is no successful authentication, notify.
- Warn if 15 failed logon attempts are tried with distinct usernames from the same IP to the same machine in 15 minutes and followed by that, if a successful login occurs from the same IP to any machine.
- Hunt for scenario if 10 failed logon attempts are tried with distinct accounts from the same IP to the same machine in 5 minutes and followed by that one of the accounts which was tried for failure authentication get success on same IP or system.
- Hunt if the same user tries more than 10 failed login attempts to the regular machine in an hour with specific pattern. (E.g 3-3-3 -1 or 1-1-1-1-2-2-2)
- Warn if a periodical authentication failure happens from a same user to a same critical server or high value assets and this account transaction anomaly is observing a pattern.
- Caterpillar Lateral Movement: –
- Hunt for the same account tries more than 5 failed login attempts to distinct set of machines in a minute.
- Hunt for the same account if it had done more than 5 login successful attempts to distinct set of machines in a minute.
- Warn if detection of an unusual condition happens where a source has authentication failures at a host but that is not followed by a successful authentication at the same host within 2 hours.
- Hunt for a new account being created followed by immediate authentication activity except logon type 3 from that same account.
- Monitor the same source account which is undocumented having excessive login failures at distinct hosts.
- Look for a new account being created, followed shortly by access/authentication failure activity from the same account.
- Authentication:
- Hunt for multiple log in failures to a single host, followed by a successful log in to the host.
- Hunt for login message observed on disabled account.
- Hunt correlated IP to Account for which first scanning activity has observed then authentication success or failure on one of the scanned systems.
- User authentication observed from rare ISP.
- User authentication observed from rare City.
- User uses 2 different ISP in a very short time
- User uses IP’s of 2 different country in a very short time.
- No Activity for 30 Days: – This account has 0 authentication transaction over 60 days
- User performing authentication transaction using operating system never seen before
- User performing authentication transaction using browser/user agent never seen before
- Account Sharing
- Account authentication successful from 5 different IP / Machine users in business hour
- Account authentication successful from 5 different IP / Machine users in non-business hour
- Account authentication failure from 5 different IP / Machine in an hour
- Account authentication successful from different IP / Machine per day pattern.
- Privileged user abuse: – Monitor misuse of access of privileged user access such as admin or root access to perform suspicious activities.
- Privileged Escalation: – Account added to security built in groups – 4728,4732,4755
- Hunt for user who are concurrently logged via LAN and VPN from a different geo-location.
- Unusual process execution using explicit credentials
- Volumetric Increase in 4XX Requests
- Volumetric Increase in 3XX Requests
- Unusual spike in request of 403 or 307 followed by 500 response.
- First seen of PowerShell execution from user computer.
- Connection activities
- Inbound allowed traffic by location for each user account
- Outbound allowed traffic by location for each user account
- Inbound blocked traffic by location for each user account
- Outbound blocked traffic by location for each user account
- Blocked internal connections by IP/hostname of each user account
- Policy violation activities
- Password ageing by user
- Account authentication from rare domain
- Account authentication from rare VLAN segment
- Multiple user authentication observed on highly vulnerable system
- Account accessing distinct network shared object
- Same User observed with multiple unknown domain-based email traffic
- Same User observed with multiple malwares on system
- Hunting Operational Efficiency
- Hunt for rare activity of user for given ports 445,137,138,139,53,23,22,5985,5986,512,135,3389,20,21,25,67,68,69,389,119,1025,1194,2082,3306,5500,6665,6666,6667,6668,6669,161,162,143,636,989,990,1080,115,1433,110,179
- Hunt for rare activity of user for given ports in DMZ 445,137,138,139,53,23,22,5985,5986,512,135,3389,20,21,25,67,68,69,389,119,1025,1194,2082,3306,5500,6665,6666,6667,6668,6669,161,162,143,636,989,990,1080,115,1433,110,179
- Hunt for anomalous first seen communication by user to public IP address 445,137,138,139,53,23,22,5985,5986,512,135,3389,20,21,25,67,68,69,389,119,1025,1194,3306,5500.
- Account / System / IP Address communicating to TOR Ports – 9001,9003,9050,9151,9150
- Monitoring outbound crypto ports communication from Account / System / IP Address – 8333,18333 ,9333,9999, 22556, 30303 – for outbound logic
- Monitoring specific TLD’s traffic in Proxy/ DNS logs – “.tor”, “.onion”, “.torgate”
- Heterogeneous Account Use Cases
- Spike in connections to databases
- Pattern based communication from user / system to HVA (High Value Assets)
- User accessing decoy system and performing
- a. user creation
- b. self-escalation
- c. Accessing network shared object.
- User using multiple IP for VPN transaction from same city or location.
- Volumetric increase in data aggregation from distinct network shared object.
- Explicit credentials usage :- Same account on different systems, Same host multiple accounts