Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.4 - User Guide

How to perform an alert investigation

The alert investigation allows you to select existing alerts and indicators for investigation. When investigating a user or an alert for a specific user, you will also see details such as their photo, display name and logon name, email, job title, address, manager and a link to their email address, department, and office.

From the Alerts tab, there are a few options available to start an investigation:

Common functions

There are many common functions that are used throughout the dashboard. Two of these are listed here for reference:

The Search User tool is located on the upper right corner of the dashboard. Using the tool, you can easily access alert investigations, and instantly drill down into their past behaviors.

If there is a user that you want to follow, you can add them to the list of watched users. You can quickly access the watched users from the Overview pane or by clicking the Watched icon in the All Users pane.

To start watching a user, click Watch Profile from their alert overview. To stop watching a user, click Stop Watching. You can also select to add more than one user by selecting Add all to Watchlist from the Users tab.

 

Alert and indicator reference

 

Alert types

The following table defines the alerts that can be detected and the related risky behavior.

Table 1.  

Mass Changes to Critical Enterprise Groups

Details: An abnormal number of changes made to critical enterprise groups. For details see, Change Auditor for Active Directory Event Reference Guide (Members Added to Critical Enterprise Group event). These groups often manage and control high-value IT assets. If these assets are compromised, attackers can escalate privileges and exploit them to establish persistent control over the domain.

Action to take: Investigate which elements have been changed, and decide if the changes are legitimate or possibly the result of risky or malicious behavior.

Associated indicators: This activity is usually associated with the Multiple Member Additions to Enterprise Critical Groups indicator.

Mass Changes to Groups

Details: An abnormal number of changes made to groups.

Action to take: Investigate which elements are changed, and decide if the changes are legitimate or possibly the result of risky or malicious behavior.

Associated indicators: This activity is usually associated with the Multiple Group Membership Changes indicator.

Elevated Privileges Granted

Details: Elevated account privileges are delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network.

Action to take: Investigate the user that received the elevated privileges, and decide if these changes are legitimate or possibly the result of risky or malicious behavior.

Associated indicators: This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.

Brute Force Authentication

Details: In traditional password cracking attempts, attackers try to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate.

Action to take: Look for additional abnormal indications that the account owner is not the one attempting to access this account.

Associated indicators: This activity is usually associated with the Multiple Failed Authentications indicator.

User Logons to Multiple Domains

Details: Domain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain and forest vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised.

Action to take: Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise.

Associated indicators: This activity is usually associated with the Logged into Multiple Domains indicator.

User Logon to Abnormal Remote Host

Details: Attackers often need to acquire credentials and perform other sensitive activities, like using remote access.

Action to take: Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity.

Associated indicators: If an attacker’s presence is limited to a single compromised host or to many compromised hosts, that activity can be associated with the Abnormal Remote Computer and Abnormal Computer indicators.

User Logon to Abnormal Host

Details: Attackers often need to acquire credentials and perform other sensitive functions.

Action to take: Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity.

Associated indicators: If an attacker’s presence is limited to a single compromised host or to many compromised hosts, that activity can be associated with the Abnormal Remote Computer and Abnormal Computer indicators.

Data Exfiltration

Details: Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cybercriminals over the Internet or other network.

Associated indicators: This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.

Mass File Rename

Details: Ransomware is malware that encrypts desktop and system files, making them inaccessible. Some ransomware, for example, “Locky”, encrypt and rename files as part of their initial execution.

Action to take: Use the indication of mass-file-renaming to determine if your file system has been infected with Ransomware.

Associated indicators: This activity can be associated with the Multiple File Rename Events indicator.

Snooping User

Details: Snooping is unauthorized access to another person's or company's data. Sophisticated snooping uses software programs to remotely monitor activity on a computer or network device.

Associated indicators: This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.

Multiple Logons by User

Details: All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected “authorized” activity. The key is that attackers use stolen credentials for unauthorized access, which may provide an opportunity for detection.

When an account is being used for unusual activities, such as authenticating an unusual amount of times, then the account may have been compromised.

Associated indicators: This activity can be associated with the Multiple Successful Authentications indicator.

User Logons to Multiple Hosts

Details: Attackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets.

Attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment.

Associated indicators: This activity can be associated with the Logged onto Multiple Computers indicator.

Admin Password Change

Details: Shared long-term secrets, such as privileged account passwords, are frequently used to access anything from print servers to domain controllers.

Action to take: To contain attackers, that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them.

Associated indicators: This activity can be associated with the Admin Password Change indicator.

Mass Permission Changes

Details: Some credential theft techniques, such as Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read/write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network.

Action to take: Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker.

Associated indicators: This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.

Abnormal AD Changes

Details: If an attacker gains highly privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the Active Directory database, those modifications replicate to every other domain controller in the domain and, depending on the partition in which the modifications are made, the forest as well.

Action to take: Investigate abnormal changes conducted by administrators and non-administrators in Active Directory to determine if they represent a possible true compromise to the domain.

Associated indicators: This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.

Abnormal Site Access

Details: An Active Directory site can be defined as a physical location or network. It can be separate building, separate city, or even in separate country. In an Active Directory infrastructure setup, the domain represents the logical topology while sites and subnets represent the physical topology. Access from abnormal sites could indicate an account is used by users across multiple geographies, and possibly indicate the account has been hijacked.

Action to take: Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise.

Associated indicators: This activity can be associated with the Abnormal Site Access and Logon Attempts from Multiple AD Sites indicators.

Sensitive User Status Changes

Details: A domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities trigger organically as part of the account’s natural life cycle.

Action to take: Investigate these security sensitive user account changes, and determine if it has been compromised.

Associated indicators: This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.

Abnormal File Access

Action to take: Monitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data.

By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error.

Associated indicators: This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.

Non-Standard Hours

Details: All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected “authorized” activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection.

When an account is being used for unusual activities, e.g. authenticating at non-standard time, then the account may have been compromised.

Action to take: Use the indication of an abnormal activity time to determine if the account has been taken over by an external actor.

Associated indicators: This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.

Related Documents