Threat Hunting for Anomalies in Privileged Account Activity
A tell-tale sign of your network being hacked is that a privileged account, such as a system administrator account, has been compromised. Attacks of this kind can come from anyone – either a malicious insider or a computer hacker. This article will examine threat hunting for anomalies in privileged account activity including what to look for when determining whether threats have impacted your information security environment.
How Do Anomalies in Privileged Account Activity Fit into The Big Picture?
Anomalies in ‘Privileged Account Activity’ is considered to be an Indicator of Compromise (IoC). Indicators of Compromise are artifacts observed on an operating system or a network that indicate possible breach or intrusion. In other words, IoCs can act as intrusion breadcrumbs for Information Security professionals to use to track down threats. The idea is that by following IoCs, threats can be detected and stopped in their earliest stages to prevent or mitigate the impending attack.
Information Security professionals often use IoCs to better analyze a malware’s behavior, patterns, and techniques. IoCs also provide actionable threat intelligence that can be shared within the greater Information Security community to further improve incident response and remediation strategies about a particular piece of malware. This helps to educate the Information Security community as a whole and will frustrate the cybercriminals that are performing these network attacks.
Anomalies in Privileged Account Activity as an Indicator of Compromise
According to Geoff Webb, director of solution strategy for NetIQ, “Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network. Watching for changes — such as time of activity, systems accessed, type or volume of information accessed — will provide early indication of a breach.”
When attackers leave a breadcrumb trail regarding the use of privileged accounts, it is often because they have somehow gotten ahold of administrator logon credentials. Another possibility is that they were successful in hacking into a privileged account, changed the password associated with the account giving them unbridled access to all your networks precious data and resources.
If anomalies in privileged account activity are suspected, the first place that a threat hunter would want to look is in the system logs of the targeted machines. If the targeted machine operates on a Windows OS, you can find these logs in what is called Event Viewer. To pull it up, simply click on the search bar next to the start button and search for Event Viewer. What you will end up seeing is something like this:
Where you will want to look is in the administrative, system and security events. You can find all these selections in the left-hand pane of the Event Viewer window. Here, you will find if there have been any anomalous changes made by an account with elevated privileges.
Once inside of Event Viewer and the log that you think the anomalous activity resides in, there are many things you can look for. It has been said that threat hunting takes creativity and imagination because attackers could do any number of bad things on your network so keeping an open mind and looking at events from all angles is key in a successful investigation. First, look for password changes that are out of synch with your organization’s normal password change schedule. 90 days is what most organizations will use for the period in which you should be using the same password, so changes made before the 90-day period is up would be a good IoC. Other good IoCs to use include:
- Writing or deleting system files, which can be found (in part) via Event IDs 4660 and 4663
- Failed logons
- Manipulation of an unusually large number of files that contain sensitive data
- Writing to removable devices (especially if local or domain group policy is configured to prevent this)
- Critical files were accessed outside of regular business hours
Individual PCs are just one place you can look. Another important place to threat hunt in is in the Active Directory of the organization. The way the organization that I work at is set up, we have Active Directory installed on our domain controller. For the uninitiated, Active Directory is where administrators can create and manage user accounts, create, and manage security groups, add, or delete entire organizational units and more. If a user has credentials that give them administrator rights, they can manipulate Active Directory to however they see fit.
Before you can successfully analyze Active Directory for any anomalies from privileged accounts, you first need to enable Active Directory auditing. A good guide for enabling Active Directory auditing can be found here. Once auditing has been enabled, Active Directory will be a fertile field for hunting privileged account anomalies.