Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

Threat Hunting with Authentication Events

Home » Blog » Threat Hunting with Authentication Events

 Posted in Cyber Threat

Threat Hunting with Authentication Events

   8th December 2022  Leave a Comment on Threat Hunting with Authentication Events 3 483

Project Name: Threat Hunting with Authentication Events.

Description: The primary aim of authentication threat hunting is to reduce the time needed to detect traces of an attacker. Once we are able to find the attacker the consequence of breach can be controlled.

Author: Rohit D Sadgune

Hunting FAQ:

  1. Account logon SIEM use cases
  2. Threat Hunting with Account Logon Transactions.
  3. Threat Hunting with Authentication Events
  4. Account authentication SIEM use cases

Benefits of authentication-based threat hunting are mentioned below

1. Point out gaps in visibility required to identify and respond to a certain attacker TTP.
2. Detection of gaps in authentication use cases.
3. Expansion of new monitoring rules and detection analytics.
4. Based on authentication, threat hunting scenarios provide feedback to threat intelligence.
5. Take preventive measures for observed/potential attacks.

Threat Hunting with Authentication Events

  1. Hunt for count of successful/failed transactions per hour
  2. Hunt for count of successful/failed transactions from each system, do a group by on user and hourly events.
  3. Hunt for count of successful/failed transactions users, do a group by on system and hourly events.
  4. Account transaction after working hours.
  5. Account events observed during unusual time of day
  6. Account events observed during an unusual day of week
  7. Service account interactive logon
  8. Hunt for account creating multiple users and logon transactions from respective users.
  9. Account created with a name like the local service account naming convention.
  10. First time occurrence of source user transaction.
  11. Newly created service account performing interactive logon.
  12. First time occurrence of account transaction on host.
  13. Catalogue behaviour hunting where accounts perform logon successful/failed transactions on multiple systems.
  14. Catalogue behaviour hunting where an account performs logon successful/failed transactions on multiple IP address.
  15. Catalogue behaviour hunting on System where multiple accounts perform logon successful/failed transactions.
  16. Catalogue behaviour hunting on IP-Address where multiple accounts performing logon successful/failed transactions.
  17. Logon transaction from an unusual country.
  18. Logon transaction from unusual ISP.
  19. Logon transaction by account using multiple IPs of the same city in a short period of time.
  20. Windows successful/failed logon transactions from public IP-Address.
  21. Account logon successful/failed transactions from known suspicious IP-Address.
  22. Account logon successful/failed transactions using known suspicious user agents.
  23. Unusual number of successful/failed transactions on High Value Assets (HVA).
  24. Unusual number of successful/failed transactions by High Privileged Users (HPU).
  25. First use of host by High Privileged Users (HPU) for successful/failed transactions.
  26. Hunt for any authentication transaction after the employee end date
  27. Account with an anomalous naming convention is discovered.
  28. Hunting for an account logon successful transaction in the similar pattern on multiple hosts.
  29. Hunting for an account logon failure transaction in the similar pattern on multiple hosts.
  30. Multiple ISP used by an account for authentication successful/failed transactions in very short period of time.
  31. Suspicious windows authentication using unknown public IP-Address

Telemetry Required for Authentication Hunting.

1. Windows Security Event ID 4624: An account was successfully logged on
2. Windows Security Event ID 4625: An account failed to log on
3. Windows Security Event ID 4648: A logon was attempted using explicit credentials
4. Application Authentication
5. Cloud Authentication
6. Single Sign On
7. VPN Authentication
8. Unix/Linux Logons

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack