Non-Privileged Users taking Privileged Actions

Description

Detect users who shouldn't be able admins taking privileged actions.


Use Case

Compliance, Insider Threat

Category

Compliance, Insider Threat, Privilege Escalation

Security Impact

Most larger organizations have strict controls to look for users enacting privileged actions. The other option is to not monitor this activity, potentially leaving you blind to new administrators coming in your environment. Once you have built out a list of privileged users, you can look for any instances of privileged activities from other accounts.

Alert Volume

High (?)

SPL Difficulty

Basic

Journey

Stage 4

MITRE ATT&CK Tactics

Privilege Escalation

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Authentication

   How to Implement

Implementation of this search depends on two key components -- privileged events, and a list of privileged (and not) users.

Generating the privileged events is relatively straightforward to get started with as many TAs will define privileged actions by default.

Generating a list of risky users is complicated -- that's why one of the most detailed examples in Splunk Security Essentials takes this on! Check it out! (link).

Once you have these components, implementation of this detection is straightforward.

   Known False Positives

The #1 scenario when this alerts falsely is when the events themselves are incorrectly marked with tag=privileged. The Windows TA defines what eventtypes (basically, micro-searches that we evaluate every time you click the search button) is privileged in a file called tags.conf. You can always tune this set of tags, though it's probably easier to just add NOT EventCode=XXXX to block out the event IDs that you don't find valuable. If this becomes onerous for you, you can always start alerting on the first time this occurs for a particular user or particular system by using a first time seen detection.

   How To Respond

When this alert fires, you should first analyze whether this particular event is one that you would not expect the user to be able to do with their existing permissions. If that's the case, analyze the groups that the user is a member of, or see if there's a local account with the same username that might be the source of these rights. Evaluate whether this is allowable or not.

   Help

Non-Privileged Users taking Privileged Actions Help

This example leverages the Simple Search Assistant. Our dataset is a list of anonymized Windows events with the EventCode and the tags (which come from the technology add-ons). The live search leverages the same dataset from the Windows TAs.

SPL for Non-Privileged Users taking Privileged Actions

Demo Data

First we bring in our basic demo dataset. In this case, a list of anonymized Windows events with the EventCode and the tags (which come from the technology add-ons). We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
This line is only needed for demo data, to convert a semi-colon separated list into a multi-value field. In the live search, it's already multi-value.
Next we use a lookup with the risk scores of user accounts. In our Pulling List of Privileged User use case, we calculate what users have admin rights.
Finally, we filter for where the account is not an admin account, and the event is tagged as being privileged.

Live Data

First we bring in our dataset of Windows Security events, filtered to just those that are tagged as being privileged actions.
Next we use a lookup with the risk scores of user accounts. In our Pulling List of Privileged User use case, we calculate what users have admin rights.
Finally, we filter for where the account is not an admin account.

Screenshot of Demo Data