Monitoring User Privileges

Wiki > Monitoring User Privileges
Description Kill Chain Stage
Monitoring user privileges provides oversight over users and provides the member firm with the ability to detect when activities connected to their credentials or their workstation overstep their privileges and violate agreed corporate policy. Rules associated with this Use Case can indicate rogue administrators or lateral movement, especially when combined with rules from 4.1
4
Threat type to monitor
■    Unauthorised modification of user access privileges

■    Unauthorised access to or modification of data

■    Exfiltration of information through outbound connections

Monitoring setup
■    AD

■    DNS

■    DHCP

■    Firewall

■    VPN concentrator

Events Indicators
■    Existing admin group modification

■    Creation and deletion of new admin groups

■    Configuration changes

■    Changes to logging sources

■    Changes to log files

■    Data transport on non-standard port

■    Misuse of data transport protocol

■    Monitoring usage of ‘sudo’ account by unauthorised users

Rules
■    User added to admin group then syslog is disabled

■    System Configuration Changes By Non Administrative Use

■    Privilege Escalation Detected

■    Multi-Service Connection Attempts with Auth Failures

■    Multiple Failed Privilege Escalations by Same User

■    File Transfer Using Non Standard Port

■    Non SMTP Traffic on TCP Port 25 Containing Executable

■    Non HTTP Traffic on TCP Port 80 Containing Executable

■    Non DNS Traffic on TCP or UDP Port 53 Containing Executable

■    Sudo command executed by users after privilege escalation

 

Category: