UEBA: NetWitness UEBA Indicators

Document created by RSA Information Design and Development Employee on Sep 11, 2018Last modified by Shree Kulkarni on May 21, 2020
Version 20Show Document
  • View in full screen mode

NetWitness UEBA focuses on providing advanced detection capabilities to guard enterprises from insider threats. These could either be compromised trusted users or network entity within a network, or alternatively, malicious external attacker taking advantage of credentials acquired by using advanced account takeover techniques.

 

Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.

 

NetWitness UEBA helps you separate possibly malicious activity from the otherwise abnormal, but not risky, user or network entity actions.

 

Use Case for Users

 

An attacker who uses stolen credentials may trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires that you separate attacker activity from the high volume of legitimate events. The following use cases define certain risk types, and the corresponding system capabilities used for their detection. You can review the use cases, represented by their Alert Type and Description, to gain an initial understanding of the related risky behavior of each. Using NetWitness UEBA, you can then drill down into the indicators that reflect the possibly risky user activities to learn more. For more information about NetWitness UEBA-supported indicators, see Indicators for Users. When anomalies are detected, they are compared to the baseline and compiled into hourly alerts. For more information on types of alerts for Users, see Alert Types for User .

 

Use Case for Network Entities

 

UEBA can detect malicious traffic masked within an legitimate HTTPS session. Based on this alert analysis, the analyst can drill down to the indicators and determine if the activity was normal or not. For more information about NetWitness UEBA-supported entity indicators, see Indicators for Network Entities.For example, the analyst can detect if there was any abnormal number of bytes sent to a port or a domain. If this type of events or a combination of such events are detected an alert is triggered. For more information on types of alerts for Network Entity, see Alert Types for Network Entity.

 

Alert Types

 

Alert Types for User

 

Alert TypeDescription
Mass Changes to GroupsAn abnormal number of changes have been made to groups. Investigate which elements have been changed, and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Multiple Group Membership Changes indicator.
Elevated Privileges GrantedElevated account privileges have been delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network. Investigate the user that received the elevated privileges, and decide if these changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.
Multiple Failed LogonsIn traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator.
User Logins to Multiple AD SitesDomain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised. Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise. This activity is usually associated with the Logged into Multiple Domains indicator.
User Login to Abnormal HostAttackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or to many compromised hosts, that activity can be associated with the Abnormal Computer indicator.
Data ExfiltrationData exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.
Mass File RenameRansomware is a type of malware that encrypts desktop and system files, making them inaccessible. Some ransomware, for example, Locky, encrypts and renames files as part of their initial execution. Use this indication of mass-file-renaming to determine if your file system has been infected with ransomware. This activity can be associated with the Multiple File Rename Events indicator.
Snooping UserSnooping is unauthorized access to another person's or company's data. Snooping can be as simple as the casual observance of an e-mail on another's computer, or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.
Multiple Logons by UserAll authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example, authenticating an unusual amount of times, the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator.
User Logged into Multiple HostsAttackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Computers indicator.
Admin Password ChangeShared long-term secrets, for example, privileged account passwords, are frequently used to access anything from print servers to domain controllers. To contain attackers that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them. This activity can be associated with the Admin Password Change indicator.
Mass Permission ChangesSome credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.
Abnormal AD ChangesIf an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain, and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.
Sensitive User Status ChangesA domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities trigger organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it has been compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.
Abnormal File AccessMonitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.
Non-Standard HoursAll authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example, authenticating an unusual number of times, the account may have been compromised. Use the indication of an abnormal activity time to determine if the account has been taken over by an external actor. This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.

Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Discovery & ReconnaissanceDiscovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When Attackers gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
PowerShell & ScriptingPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Attackers can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Registry Run Keys & Start FolderAdding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account's associated permissions level. Attackers can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Attackers may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

 

Alert Types for Network Entity

 

Alert TypeDescription
PhishingPhishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. This activity can be associated with Abnormal Country for SSL Subject, Abnormal Domain for JA3, Abnormal Destination Port for JA3 and Abnormal SSL Subject for JA3. indicators.
Data ExfiltrationData Exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data Exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with Abnormal Destination Port for Source Netname and Abnormal Traffic Volume Sent from JA3 indicators.

 

 

 

NetWitness UEBA Indicators

 

Indicators for Users

 

The following tables list indicators that display when a potentially malicious activity is detected for users.

 

Windows File Servers

 

IndicatorAlert TypeDescription
Abnormal File Access TimeNon-Standard HoursA user has accessed a file at an abnormal time.
Abnormal File Access Permission ChangeMass Permission ChangesA user changed multiple share permissions.
Abnormal File Access EventAbnormal File AccessA user has accessed a file abnormally.
Multiple File Access Permission ChangesMass Permission ChangesA user changed multiple file share permissions.
Multiple File Access EventsSnooping UserA user changed multiple file share permissions.
Multiple Failed File Access EventsSnooping UserA user failed multiple times to access a file.
Multiple File Open EventsSnooping UserA user opened multiple files.
Multiple Folder Open EventsSnooping UserA user opened multiple folders.
Multiple File Delete EventsAbnormal File AccessA user deleted multiple files.
Multiple Failed File Access Permission ChangesMass Permission ChangesA user failed multiple attempts to change file access permissions

 

Active Directory

 

IndicatorDescriptionAlert Type
Abnormal Active Directory Change TimeA user made Active Directory changes at an abnormal time.Non-Standard Hours
Abnormal Active Directory Object ChangeAn abnormal change made to an Active Directory attribute.Abnormal AD Changes
Multiple Group Membership ChangesA user successfully made multiple changes to groups.Mass Changes to Groups
Multiple Active Directory Object Changes A user made multiple Active Directory changes successfully.Abnormal AD Changes
Multiple User Account ChangesA user successfully made multiple sensitive Active Directory changes.Abnormal AD Changes
Multiple Failed Account ChangesA user failed to make multiple Active Directory changes.Abnormal AD Changes
Admin Password ChangedAn admin's password was changed.Admin Password Change
User Account EnabledA user's account was enabled.Sensitive User Status Changes
User Account DisabledA user's account was disabled.Sensitive User Status Changes
User Account UnlockedA user's account was unlocked.Sensitive User Status Changes
User Account Type ChangedA user's type was changed.Sensitive User Status Changes
User Account LockedA user's account was locked.Sensitive User Status Changes
User Password ResetA user's password was reset.Sensitive User Status Changes

User Password Never Expires Option Changed

A user has changed the password policy.

Sensitive User Status Changes

 

Logon Activity

 

IndicatorAlert TypeDescription

Abnormal Remote Computer

Abnormal Computer Access

A user has accessed an abnormal remote computer.

Abnormal Logon TimeNon-Standard HoursA user logged on at an abnormal time.
Abnormal ComputerUser Login to Abnormal HostA user attempted to access an abnormal computer.
Multiple Successful AuthenticationsMultiple Logons by UserA user logged on multiple times.
Multiple Failed AuthenticationsMultiple Failed LogonsA user failed multiple authentication attempts.
Logon Attempts to Multiple Source ComputersUser Logged into Multiple HostsA user attempted to log on from multiple computers.

 

Process

 

IndicatorAlert TypeDescription
Abnormal Process Created a Remote Thread in LSASSCredential DumpingAn abnormal process was created into the LSASS process.
Abnormal Reconnaissance Tool ExecutedDiscovery & ReconnaissanceAn abnormal process is executed.
Abnormal Process Executed a Scripting ToolPowerShell & ScriptingAn abnormal process executed a scripting tool.

Abnormal Process Executed a Scripting Tool

PowerShell & ScriptingAn abnormal process is triggered by a scripting tool.
Scripting Tool Triggered an Abnormal ApplicationPowerShell & ScriptingAn abnormal process is opened by a scripting tool.
Abnormal Process Created a Remote Thread in a WindowsPowerShell & ScriptingAn abnormal process is injected into a known windows process .
Multiple Distinct Reconnaissance Tools ExecutedDiscovery & ReconnaissanceMultiple reconnaissance tools are executed in an hour.

Multiple Reconnaissance Tool Activities Executed

Discovery & Reconnaissance

Multiple reconnaissance tool activities are executed in an hour.

Process Executed Multiple Times by a Reconnaissance ToolDiscovery & ReconnaissanceA reconnaissance tool executed a process multiple times.

User Ran an Abnormal Process to Execute a Scripting Tool

PowerShell / Scripting

An abnormal process is executed a scripting tool.

User Ran a Scripting Tool that Triggered an Abnormal ApplicationPowerShell / ScriptingAn abnormal scripting tool is executed for an abnormal application.

User Ran a Scripting Tool to Open an Abnormal Process

PowerShell / Scripting

An abnormal scripting tool is executed for an abnormal process.

 

Registry

 

IndicatorAlert TypeDescription
Abnormal Process Modified a Registry Key GroupRegistry Run KeysAn abnormal process modified a service key registry.

 

Indicators for Network Entities

 

The following tables list indicators that display when a potentially malicious activity is detected for JA3 and SSL Subject entities.

 

Note: Indicators are for JA3, and in some instances the JA3 hash can be mapped to more than one client application.

 

IndicatorEntity TypeAlert TypeDescription
Abnormal Traffic Volume Sent from IP to SSL SubjectSSL SubjectData exfiltrationWhen an IP address in the organization sends an unexpectedly high amount of data to an SSL Subject.
Abnormal Traffic Volume Sent from IP to DomainSSL SubjectData exfiltrationWhen an IP address in the organization sends an unexpectedly high amount of data to a domain and SSL Subject.
Abnormal Traffic Volume Sent from IP to OrganizationSSL SubjectData exfiltrationWhen an IP address in the organization sends an unexpectedly high amount of data to an organization and SSL Subject.
Abnormal Traffic Volume Sent from IP to PortSSL SubjectData exfiltrationWhen an IP address in the organization sends an unexpectedly high amount of data to a port and SSL Subject.
Abnormal Traffic Volume Sent to SSL SubjectSSL SubjectData exfiltrationWhen an unexpectedly high amount of data is sent to an SSL Subject.
Abnormal Traffic Volume Sent to DomainSSL SubjectData exfiltrationWhen an unexpectedly high amount of data is sent to a domain and SSL Subject.
Abnormal Traffic Volume Sent to PortSSL SubjectData exfiltrationWhen an unexpectedly high amount of data is sent to a port and SSL Subject.
Abnormal Traffic Volume Sent to OrganizationSSL SubjectData exfiltrationWhen an unexpectedly high amount of data is sent to an organization and SSL Subject.

Abnormal Traffic Volume Sent from JA3

JA3

Data exfiltration

When a client application sends an abnormally high amount of data.

High Number of IPs Use JA3JA3PhishingWhen a client application abnormally sends high number of IPs which use JA3.

Abnormal SSL Subject for Source Netname

SSL Subject and JA3

Data exfiltration

When a source netname contacts an abnormal SSL Subject.

Abnormal Domain for Source NetnameSSL Subject and JA3Data exfiltrationWhen a source netname contacts an abnormal domain.

Abnormal Destination Port for Source Netname

SSL Subject and JA3

Data exfiltration

When a source netname contacts an abnormal destination port.

Abnormal Organization for Source NetnameSSL Subject and JA3Data exfiltrationWhen a source netname contacts an abnormal organization.

Abnormal Country for SSL Subject

SSL Subject and JA3

Data exfiltration

When an SSL Subject is contacted with an abnormal destination country.

Abnormal Destination Port for SSL SubjectSSL Subject and JA3Data exfiltrationWhen an SSL Subject is contacted through an abnormal destination port.

Abnormal Time for SSL Subject

SSL Subject and JA3

Non-Standard Hours

When an SSL Subject is contacted at an abnormal time.

Abnormal Destination Port for DomainSSL Subject and JA3Data ExfiltrationWhen a domain is accessed through an abnormal destination port.

Abnormal Destination Port for Organization

SSL Subject and JA3

Data Exfiltration

When an organization is accessed through an abnormal destination port.

Abnormal Time for JA3SSL Subject and JA3Non-Standard HoursWhen a client application is contacted at an abnormal time.

Abnormal JA3 for Source Netname

SSL Subject and JA3

Phishing

When a source netname utilizes an abnormal client application.

Abnormal SSL Subject for JA3SSL Subject and JA3PhishingWhen a client application contacts an abnormal SSL Subject.

Abnormal Domain for JA3

SSL Subject and JA3

Phishing

When a client application contacts an abnormal domain.

Abnormal Destination Port for JA3SSL Subject and JA3PhishingWhen a client application contacts an abnormal destination port.

 

Access NetWitness UEBA

 

Note: To access the NetWitness UEBA service and Entities tab, you must be assigned to either the UEBA_Analyst role or Administrators role. For information about how to assign these roles, see the "How Role-Based Access Control Works" topic in the System Security and User Maintenance Guide. You must also ensure that you have proper NetWitness UEBA licensing configured. For information about NetWitness UEBA licensing, see the "User and Entity Behavior Analytics License" topic in the Licensing Management Guide.

 

To access NetWitness UEBA, log into NetWitness Platform and go to INVESTIGATE > ENTITIES. The Entities view, which contains all the NetWitness UEBA feature is displayed.

 

Users view, Overview tab

 

You can choose a dark or a light theme for the view. For information, please see the "Choose the Appearance of NetWitness Platform" topic in the RSA NetWitness Getting Started Guide.

 

Previous Topic:Introduction
You are here

Table of Contents > NetWitness UEBA Indicators

Attachments

    Outcomes