Unauthorized Change Indicators
- Attacker may try to change how a device or application behaves to exploit some vulnerability or open a new vector to initiate an attack
- e.g., open a port, start a service, add directory exclusion to scanning software
- Unauthorized change can also be hardware
Unauthorized Privileges
- Privilege Escalation
- regular user exploits a vulnerability to gain administrator or root-level privileges
Auditing Account Usage
- Active Directory accounts are used on many networks to log on to Windows workstations, servers, and other infrastructure using Single Sign-On (SSO)
- monitor authentication and authorization systems because they provide valuable insight regarding access controls in the environment
- Unauthorized sessions
- When accounts access devices or services they should not be authorized to access
- e.g., user with limited privileges should not be able to access a Domain Controller
- sign of privilege escalation
- Failed logons
- Repeated, rapid failures for a single account are suspicious
- especially for administrator and root accounts
- New accounts
- An attacker may create new accounts to enable easy access
- Only a few individuals should be authorized to create new accounts
- should be closely monitored
- Guest account usage
- Guest accounts should be disabled
- guest acc enable attackers to easily access a domain
- Off-hours usage
- account usage after hours may indicate an attacker attempting to access the environment while little or no staff are at work
Abnormal Behavior
- monitor changes to:
- system policies (especially security policies)
- Microsoft provides tools to help identify if a policy deviates from an established configuration baseline
- privileges
- privilege changes can be
- tracked using the audit log
- or analyzed using tools like Sysinternals
AccessChk and AccessEnum