User Account

A profile representing a user, device, service, or application used to authenticate and access resources

ID: DS0002
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Container, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.1
Created: 20 October 2021
Last Modified: 07 December 2022

Data Components

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Domain ID Name Detects
Enterprise T1110 Brute Force

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

.001 Password Guessing

Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts.[1]

.002 Password Cracking

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

.003 Password Spraying

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.[1]

.004 Credential Stuffing

Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.[1]

Enterprise T1538 Cloud Service Dashboard

Correlate other security systems with login information, such as user accounts, IP addresses, and login names.[1]

Enterprise T1212 Exploitation for Credential Access

Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim.

Enterprise T1070 Indicator Removal

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.003 Clear Command History

Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file.

.005 Network Share Connection Removal

Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.

Enterprise T1556 Modify Authentication Process

Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity.

.006 Multi-Factor Authentication

Monitor for account authentications in which MFA credentials are not provided by the user account to the authenticating entity.

Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism.

Enterprise T1207 Rogue Domain Controller

Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[2] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.

Enterprise T1552 Unsecured Credentials

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.

.005 Cloud Instance Metadata API

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

.007 Container API

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

Enterprise T1550 Use Alternate Authentication Material

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

.002 Pass the Hash

Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process.

.003 Pass the Ticket

Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

Enterprise T1078 Valid Accounts

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

.001 Default Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials

.002 Domain Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux

Note:

  • For Windows, Security Logs events, including Event ID 4624, can be monitored to track user login behavior.
  • For Linux, auditing frameworks that support File Integrity Monitoring (FIM), including the audit daemon (auditd), can be used to alert on changes to files that store login information. These files include: /etc/login.defs, /etc/securetty, /var/log/faillog, /var/log/lastlog, /var/log/tallylog.
  • For MacOS, auditing frameworks that support capturing information on user logins, such as OSQuery, can be used to audit user account logins and authentications.
.003 Local Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux.

Notes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including /var/log/secure.

.004 Cloud Accounts

Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account, account usage at atypical hours, or account authentication from unexpected locations or IP addresses. Service accounts should only be accessible from IP addresses from within the cloud environment.[3] For example, in Azure AD environments, consider using Identity Protection to flag risky sign-ins based on location, device compliance, and other factors.

ICS T0859 Valid Accounts

Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

Domain ID Name Detects
Enterprise T1136 Create Account

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.001 Local Account

Monitor for newly constructed user and service accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network, a Kubernetes cluster, or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.002 Domain Account

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.003 Cloud Account

Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts, such as accounts that do not follow specified naming conventions or accounts created by unapproved users or sources.[4] Monitor for newly created admin accounts that go over a certain threshold of known admins.

Enterprise T1564 Hide Artifacts

Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify.

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

Domain ID Name Detects
Enterprise T1531 Account Access Removal

Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Enterprise T1070 Indicator Removal

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

.009 Clear Persistence

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Domain ID Name Detects
Enterprise T1134 Access Token Manipulation

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

.005 SID-History Injection

Examine data in user’s SID-History attributes

Enterprise T1564 Hide Artifacts

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the Hide500Users key value in the /Library/Preferences/com.apple.loginwindow plist file set to TRUE.[5]

Enterprise T1556 .005 Modify Authentication Process: Reversible Encryption

Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.[6]

Enterprise T1201 Password Policy Discovery

Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken.

.005 Temporary Elevated Cloud Access

Log API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken.

Enterprise T1531 Account Access Removal

Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Enterprise T1098 Account Manipulation

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password.

Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

.001 Additional Cloud Credentials

Monitor for unexpected changes to cloud user accounts, such as Azure Activity Logs highlighting malicious Service Principal and Application modifications.

Monitor for the use of API and CLI commands that add access keys or tokens to accounts, such as CreateAccessKey or GetFederationToken in AWS or service-accounts keys create in GCP. Also monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

.002 Additional Email Delegate Permissions

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

.003 Additional Cloud Roles

Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. Monitor for updates to IAM policies and roles attached to user accounts.

.005 Device Registration

Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[7]

.006 Additional Container Cluster Roles

Collect usage logs from accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to high-privileged cluster roles that go over a certain threshold of known admins.

Enterprise T1562 Impair Defenses

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8]

.008 Disable or Modify Cloud Logs

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8]

Enterprise T1556 Modify Authentication Process

Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon.

.006 Multi-Factor Authentication

Monitor for the enrollment of devices and user accounts with alternative security settings that do not require MFA credentials for successful logon. Monitor for attempts to disable MFA on individual user accounts.[1]

Enterprise T1528 Steal Application Access Token

Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

References