UEBA: Users Indicators

Document created by RSA Information Design and Development Employee on Nov 11, 2020Last modified by RSA Product Team on Nov 11, 2020
Version 2Show Document
  • View in full screen mode

The following tables list indicators that display when a potentially malicious activity is detected for users.

 

Windows File Servers

 

IndicatorAlert TypeDescription
Abnormal File Access TimeNon-Standard HoursA user has accessed a file at an abnormal time.
Abnormal File Access Permission ChangeMass Permission ChangesA user changed multiple share permissions.
Abnormal File Access EventAbnormal File AccessA user has accessed a file abnormally.
Multiple File Access Permission ChangesMass Permission ChangesA user changed multiple file share permissions.
Multiple File Access EventsSnooping UserA user accessed multiple file events.
Multiple Failed File Access EventsSnooping UserA user failed multiple times to access a file.
Multiple File Open EventsSnooping UserA user opened multiple files.
Multiple Folder Open EventsSnooping UserA user opened multiple folders.
Multiple File Delete EventsAbnormal File AccessA user deleted multiple files.
Multiple Failed File Access Permission ChangesMass Permission ChangesA user failed multiple attempts to change file access permissions

 

Active Directory

 

IndicatorAlert TypeDescription
Abnormal Active Directory Change TimeNon-Standard HoursA user made Active Directory changes at an abnormal time.
Abnormal Active Directory Object ChangeAbnormal AD ChangesA user made Active Directory attribute changes abnormally.
Multiple Group Membership ChangesMass Changes to GroupsA user made multiple changes to groups successfully.
Multiple Active Directory Object ChangesAbnormal AD ChangesA user made multiple Active Directory changes successfully.
Multiple User Account ChangesAbnormal AD ChangesA user made multiple sensitive Active Directory changes successfully.
Multiple Failed Account ChangesAbnormal AD ChangesA user failed to make multiple Active Directory changes.
Admin Password ChangedAdmin Password ChangeThe password of an admin was changed.
User Account EnabledSensitive User Status ChangesAn account of a user was enabled.
User Account DisabledSensitive User Status ChangesAn account of a user was disabled.
User Account UnlockedSensitive User Status ChangesAn account of a user was unlocked.
User Account Type ChangedSensitive User Status ChangesThe type of user was changed.
User Account LockedSensitive User Status ChangesAn account of a user was locked.
User Password ResetSensitive User Status ChangesThe password of a user was reset.

User Password Never Expires Option Changed

Sensitive User Status Changes

The password policy of a user was changed.

 

Logon Activity

 

IndicatorAlert TypeDescription
Abnormal Remote HostLogin to Abnormal Remote HostA user attempted to access a remote computer abnormally.
Abnormal Logon TimeNon-Standard HoursA user logged on at an abnormal time.
Abnormal HostUser Login to Abnormal HostA user attempted to access a host abnormally.
Multiple Successful AuthenticationsMultiple Logons by UserA user logged on multiple times.
Multiple Failed AuthenticationsMultiple Failed LogonsA user failed multiple authentication attempts.
Logon Attempts to Multiple Source HostsUser Logged into Multiple HostsA user attempted to log on from multiple computers.
Abnormal VPN Logon TimeNon-Standard HoursA user has logged on at an abnormal time.
Abnormal VPN Logon CountryAbnormal Logon CountryA user attempted to establish VPN access from an abnormal country.
Multiple Failed VPN AuthenticationsMultiple Failed VPN LogonsA user failed multiple times to authenticate for VPN access.
Abnormal Azure AD Logon TimeNon-Standard HoursA user has logged on at an abnormal time.
Abnormal Azure AD Logon Country*Abnormal Logon CountryA user attempted to access Azure AD from an abnormal country.
Multiple Failed Azure AD AuthenticationsMultiple Failed LogonsA user failed multiple times to authenticate into Azure AD.
Azure AD - Abnormal ApplicationAbnormal Applications AccessedA user attempted to log on to abnormal number of applications through Azure AD.
Azure AD - Logon Attempts to Multiple ApplicationsUser Logged into Multiple ApplicationsA user attempted to log on to multiple applications through Azure AD.

 

Note: *For Abnormal Azure AD Logon Country, it is recommended to dynamically update the GeoIP repository to obtain optimal results.

 

Process

 

IndicatorAlert TypeDescription
Abnormal Process Created a Remote Thread in LSASSCredential DumpingAn abnormal process was created into the LSASS process.
Abnormal Reconnaissance Tool ExecutedDiscovery and ReconnaissanceAn abnormal process was executed.
Abnormal Process Executed a Scripting ToolPowerShell and ScriptingAn abnormal process executed a scripting tool.

Abnormal Process Executed a Scripting Tool

PowerShell and ScriptingAn abnormal process was triggered by a scripting tool.
Scripting Tool Triggered an Abnormal ApplicationPowerShell and ScriptingAn abnormal process was opened by a scripting tool.
Abnormal Process Created a Remote Thread in a WindowsPowerShell and ScriptingAn abnormal process was injected into a known windows process .
Multiple Distinct Reconnaissance Tools ExecutedDiscovery and ReconnaissanceMultiple reconnaissance tools were executed in an hour.

Multiple Reconnaissance Tool Activities Executed

Discovery and Reconnaissance

Multiple reconnaissance tool activities were executed in an hour.

User Ran an Abnormal Process to Execute a Scripting Tool

PowerShell / Scripting

An abnormal process executed a scripting tool.

User Ran a Scripting Tool that Triggered an Abnormal ApplicationPowerShell / ScriptingA scripting tool was executed that triggered an abnormal application.

User Ran a Scripting Tool to Open an Abnormal Process

PowerShell / Scripting

A scripting tool was executed to open an abnormal process.

 

Registry

 

IndicatorAlert TypeDescription
Abnormal Process Modified a Registry Key GroupRegistry Run KeysAn abnormal process modified a service key registry.

 

You are here

Table of Contents > Indicators for Users

Attachments

    Outcomes