Threat Hunting for Unusual Logon Activity
What is one of the first things that you think of when thinking of potential threat activity on your network? Most would probably say that there has been some unusual login activity occurring, either on endpoint computers or systems with more sensitive data (domain controllers, databases and so forth). This article will examine threat hunting for unusual login activity and will detail what you should be looking for in your threat investigation.
Indicators of Compromise
When threat hunting, information security professions focus their search on what are called Indicators of Compromise, or IoCs. IoCs are forensic data found in system files and log entries, which identify potentially malicious network or system activity. IoCs help information security professionals detect data breaches, malware attacks or other threat activity on their systems and network.
Become a certified threat hunter
Using IoCs as the basis for threat hunting allows organizations to detect attacks and act quickly to prevent breaches from occurring or mitigate damages from an ongoing attack.
Unusual Login Activity as an Indicator of Compromise
Unusual or failed logins can provide excellent clues of network and system probing by attackers. According to Scott Pierson, product specialist for Beachhead Solutions: “If you see John in accounting logging into the system after work hours and trying to access files for which he is not authorized, this bears investigation.” This can provide a threat hunter with clues that this is not actually John, but rather an attacker trying to gain authorization with John’s credentials.
Likewise, checking for failed logins via nonexistent user accounts is sound threat-hunting practice. “Check for failed logins using accounts that don’t exist – these often indicate that someone is trying to guess a user’s account credentials to gain authorization,” says Pierson. Unusually large numbers of failed logins that do not exist is another “must look for” IoC that threat hunters should use.
Threat Hunting Specifically for Unusual Login Activity
So you now know the importance of unusual login activity as an IoC, but where should you look in your system for these clues?
System logs record all events that occur on your system. Attacks often trigger application errors which are then recorded in the system logs. For this example, login failures would trigger a log entry. With this said, system logs will be the best place to threat hunt unusual login activity.
Log files do not have a standardized structure. What this means is that if you were to threat hunt at the raw log level, the data would probably not be of much assistance. There are two main methods for making this data usable for threat hunters:
- Event Viewer
Event Viewer is the built-in method for working with this data in Windows computers. To pull up Event Viewer, click on the search bar next to the start button and search for Event Viewer. To view login attempts, you may have to enable login auditing on the domain controller and the system itself. To do that, click on the search bar next to the start button and search for Group Policy Editor with gpedit.msc.
Open gpedit.msc. Once inside Group Policy Editor, follow this path Windows Settings >> Security Settings >> Local Policy >> Audit Policy >> Audit Logon Events
Select both boxes for success and failure and then click OK.
Your system can now audit for logon attempts, both successful and failed. This should be done ideally before threats breach your system so make sure that you get this done as early as possible.
Now, go back to the search bar and type Event Viewer. Click on Event Viewer, open Windows logs and click on Security.
Here is where you will be able to see all the login activity. The event IDs that you will want to search for are Logon Success (4624), Logon Failure (4625) and Account Lockout (4740).
Logon Success should be searched for because while a successful logon in and of itself is not indicative of a threat, a massive spike in successful logon activity or activity during non-work hours should be suspect.
Login Failures should definitely be searched because the attackers may have just have a username and are trying brute-force tactics to gain entry. A large number of login failures and login failures during off hours are both red flags.
Account lockouts will occur if the attackers use the wrong password one too many times. Account lockouts should always be followed up with the user to see if the lockout was legitimate.
Using a Security Information and Event Management (SIEM) system is a great way to use system log data if you do not want to go the Event Viewer route. While system logs do not have standardized structure, SIEM uses the decomposition of unstructured loglines into fields (keys and values).
SIEM systems, such as SolarWinds Log and Event Manager (LEM), record and store all the events that occur on a network. Where you may be only looking for a few small drops of data, SIEM will give you a gallon. In LEM, this data can be found using nDepth, which is a graphical search and analysis tool that displays all events that occur on your network/system built into LEM.
The end result is a useable interface with a dashboard that threat hunters can use to track down events, including unusual login activity, quickly allowing you to take action on a near real-time basis. Keep an eye out for excessive activity and activity during off-hours, and you will have a good picture of what the threat landscape of your environment looks like.
Top 15 Indicators Of Compromise, Dark Reading
Become a certified threat hunter
What are Indicators of Compromise?, Digital Guardian