User Account

A profile representing a user, device, service, or application used to authenticate and access resources

ID: DS0002
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Container, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)

User Account: User Account Authentication

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log)

Domain ID Name Detects
Enterprise T1110 Brute Force

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

.001 Password Guessing

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

.002 Password Cracking

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

.003 Password Spraying

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

.004 Credential Stuffing

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

Enterprise T1538 Cloud Service Dashboard

Correlate other security systems with login information

Enterprise T1212 Exploitation for Credential Access

Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

Monitor for user authentication attempts, when requesting access tokens to services, that failed because of Conditional Access Policies (CAP). Some SAML tokens features, such as the location of a user, may not be as easy to claim.

Enterprise T1070 Indicator Removal on Host

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.003 Clear Command History

Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file.

.005 Network Share Connection Removal

Monitoring for Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.

ICS T0872 Indicator Removal on Host
Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor user account logs for suspicious events: unusual login attempt source location, mismatch in location of login attempt and smart device receiving 2FA/MFA request prompts, and high volume of repeated login attempts, all of which may indicate user's primary credentials have been compromised minus 2FA/MFA mechanism.

Enterprise T1207 Rogue Domain Controller

Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[1] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.

Enterprise T1552 Unsecured Credentials

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may search compromised systems to find and obtain insecurely stored credentials.

.005 Cloud Instance Metadata API

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

.007 Container API

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

Enterprise T1550 Use Alternate Authentication Material

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

.002 Pass the Hash

Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process.

.003 Pass the Ticket

Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.

Enterprise T1078 Valid Accounts

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

.001 Default Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials

.002 Domain Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux

.003 Local Accounts

Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux

.004 Cloud Accounts

Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.

ICS T0859 Valid Accounts

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

User Account: User Account Creation

Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)

Domain ID Name Detects
Enterprise T1136 Create Account

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.001 Local Account

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.002 Domain Account

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).

.003 Cloud Account

Monitor for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

Enterprise T1564 Hide Artifacts

Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify.

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

User Account: User Account Deletion

Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)

Domain ID Name Detects
Enterprise T1531 Account Access Removal

Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

User Account: User Account Metadata

Contextual data about an account, which may include a username, user ID, environmental data, etc.

Domain ID Name Detects
Enterprise T1134 Access Token Manipulation

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

.005 SID-History Injection

Examine data in user’s SID-History attributes

Enterprise T1564 Hide Artifacts

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.

.002 Hidden Users

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the Hide500Users key value in the /Library/Preferences/com.apple.loginwindow plist file set to TRUE.[2]

Enterprise T1556 .005 Modify Authentication Process: Reversible Encryption

Monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.[3]

Enterprise T1201 Password Policy Discovery

Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

User Account: User Account Modification

Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)

Domain ID Name Detects
Enterprise T1531 Account Access Removal

Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Enterprise T1098 Account Manipulation

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password.

Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

.001 Additional Cloud Credentials

Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

.002 Additional Email Delegate Permissions

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

.003 Additional Cloud Roles

Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

.005 Device Registration

Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[4]

Enterprise T1528 Steal Application Access Token

Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a "High severity app permissions" policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.Security analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old "Last authorized" fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

References