UEBA: NetWitness UEBA Indicators

Document created by RSA Information Design and Development on Sep 11, 2018
Version 1Show Document
  • View in full screen mode

NetWitness UEBA Indicators

The following tables list indicators that display when potentially malicious activity is detected.

Windows File Servers

                                                          
IndicatorAlert TypeDescription
Abnormal File Access Time Non-Standard Hours A user has accessed a file at an abnormal time.
Abnormal File Access Permission Change Mass Permission Changes A user changed multiple share permissions.
Abnormal File Access Event Abnormal File AccessA user has accessed a file abnormally.
Multiple File Access Permission Changes Mass Permission Changes A user changed multiple file share permissions.
Multiple File Access Events Snooping User A user changed multiple file share permissions.
Multiple Failed File Access Events Snooping User A user failed multiple times to access a file.
Multiple File Open Events Snooping User A user opened multiple files.
Multiple Folder Open Events Snooping User A user opened multiple folders.
Multiple File Delete Events Abnormal File Access A user deleted multiple files.

Active Directory

                                                                              
IndicatorAlert TypeDescription
Abnormal Active Directory Change Time Non-Standard Hours A user made Active Directory changes at an abnormal time.
Abnormal Active Directory Change Abnormal AD Changes An abnormal change to an Active Directory attribute was made.
Multiple Group Membership Changes Mass Changes to Groups A user successfully made multiple changes to groups.
Multiple Account Management Changes Abnormal AD Changes A user successfully made multiple Active Directory changes.
Multiple User Account Management Changes Abnormal AD Changes A user successfully made multiple sensitive Active Directory changes.
Multiple Failed Account Management Changes Abnormal AD Changes A user failed to make multiple Active Directory changes.
Admin Password Changed Admin Password Change An admin's password was changed.
User Account Enabled Sensitive User Status Changes A user's account was enabled.
User Account Disabled Sensitive User Status Changes A user's account was disabled.
User Account Unlocked Sensitive User Status Changes A user's account was unlocked.
User Account Type Changed Sensitive User Status Changes A user's type was changed.
User Account Locked Sensitive User Status Changes A user's account was locked.
User Password Changed Sensitive User Status Changes A user's password was changed.

Logon Activity

                                      
IndicatorAlert TypeDescription
Abnormal Logon Time Non-Standard Hours A user logged on at an abnormal time.
Abnormal Computer User Login to Abnormal Host A user attempted to access an abnormal computer.
Multiple Successful Authentications Multiple Logons by User A user logged on multiple times.
Multiple Failed Authentications Multiple Failed Logons A user failed multiple authentication attempts.
Logged onto Multiple Computers User Logged into Multiple Hosts A user attempted to log on from multiple computers.

NetWitness UEBA Use Cases for Windows Logs

NetWitness UEBA focuses on providing advanced detection capabilities to guard enterprises from insider threats. These could either be compromised trusted users of the network, or alternatively, a malicious external attacker taking advantage of credentials acquired by using advanced account takeover techniques.

Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.

An attacker who uses stolen credentials may trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires that you separate attacker activity from the high volume of legitimate events. NetWitness UEBA helps you separate possibly malicious activity from the otherwise abnormal, but not risky, user actions.

The following use cases define certain risk types, and the corresponding system capabilities used for their detection. You can review the use cases, represented by their Alert Type and Description, to gain an initial understanding of the related risky behavior of each. Using NetWitness UEBA, you can then drill down into the Indicators that reflect the possibly risky user activities to learn more. For more information about NetWitness UEBA-supported indicators, see NetWitness UEBA Indicators.

                                                                           
Alert TypeDescription
Mass Changes to GroupsAn abnormal number of changes have been made to groups. Investigate which elements have been changed, and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Multiple Group Membership Changes indicator.
Elevated Privileges GrantedElevated account privileges have been delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network. Investigate the user that received the elevated privileges, and decide if these changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.
Multiple Failed LogonsIn traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator.
User Logins to Multiple AD SitesDomain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised. Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise. This activity is usually associated with the Logged into Multiple Domains indicator.
User Login to Abnormal HostAttackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or to many compromised hosts, that activity can be associated with the Abnormal Computer indicator.
Data ExfiltrationData exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.
Mass File RenameRansomware is a type of malware that encrypts desktop and system files, making them inaccessible. Some ransomware, for example, “Locky”, encrypts and renames files as part of their initial execution. Use this indication of mass-file-renaming to determine if your file system has been infected with ransomware. This activity can be associated with the Multiple File Rename Events indicator.
Snooping UserSnooping is unauthorized access to another person's or company's data. Snooping can be as simple as the casual observance of an e-mail on another's computer, or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.
Multiple Logons by UserAll authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example, authenticating an unusual amount of times, the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator.
User Logged into Multiple HostsAttackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Computers indicator.
Admin Password ChangeShared long-term secrets, for example, privileged account passwords, are frequently used to access anything from print servers to domain controllers. To contain attackers that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them. This activity can be associated with the Admin Password Change indicator.
Mass Permission ChangesSome credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.
Abnormal AD ChangesIf an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain, and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.
Sensitive User Status ChangesA domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities trigger organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it has been compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.
Abnormal File AccessMonitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.
Non-Standard HoursAll authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example, authenticating an unusual number of times, the account may have been compromised. Use the indication of an abnormal activity time to determine if the account has been taken over by an external actor. This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.
Previous Topic:Introduction
You are here
Table of Contents > NetWitness UEBA Indicators

Attachments

    Outcomes