Privilege User Monitoring

Wiki > Privilege User Monitoring
Description Kill Chain Stage
A privileged user is an employee with the kind of authority that, if abused, could cause substantial damage. Privileged users can access more of their companies’ intellectual property, such as corporate data or confidential client information. They may have the ability to circumvent or reconfigure controls that restrict other non-privileged uses, perhaps through temporarily accessed privileges. These kind of accounts are primary targets for sophisticated organised attackers, who may conduct targeted ‘spear-phishing’ attacks following lengthy reconnaissance activity.


Threat type to monitor
■    Detecting brute force attacks on privileged user accounts

■    Unauthorised user activity by privileged users

Monitoring setup
■    Active Directory

■    DHCP

■    DNS

■    Firewall

■    VPN concentrator

Events Indicators
■    Modification to the admin group

■    Unauthorised configuration by privileged users

■    User added to admin group then syslog is disabled

■    Windows user added to administrators group and security disabled

■    Privileged user account password change

■    Windows suspicious admin activity audit log cleared

■    Windows suspicious admin activity network share created

■    Windows suspicious admin activity shared object accessed

■    Direct login to an administrative account

■    User added to admin group and same user login or same user ‘sudo’

■    User added to admin group then SSH is enabled

■    Account added to administrators group and removed

■    Suspicious account removal

■    Suspicious privileged user access activity

■    Unscheduled configuration changes by privileged users

■    Privilege escalation detected