How to Hunt for Credential Misuse with a SIEM
Credential Misuse is a risky but common practice. Such as when someone uses their domain credentials to run a service or a script. This is risky because a bad guy could get hold of the script, which means that the person then has the credentials.
Like what happened to this Russian Bank:
Yet, this is common because it is often an easy way to get things working. It is also worth noting that a red team or penetration testers will be looking for this kind of stuff too. The same goes for running Windows services as Administrator. While it’s an easy way to get things working, bad guys can leverage this for privilege escalation.
What this boils down to, is a user exposing the organisation to needless risk. This article will describe how to go about finding if this is happening in your environment.
How do we know when this is happening?
A SIEM (Security Information Event Management) tool can hunt for instances of this. We will use LogRhythm SIEM as an example.
Start by doing a basic search for all logs classified as Authentication Success or Authentication Failure:
Run this over the past 3 or 4 hours and see what you get. You may want to run this for more or less time depending on your log volumes:
Start by looking at the Classification widget, which denotes a count of logs by category:
Look for Failed Authentication Patterns
We can look for instances of credential misuse if a password has expired.
To do this in LogRhythm, filter by Authentication Failure and look at the User (Origin) chart. This denotes the user logins. You may see a large count of failed authentications for a single user account. This immediately indicates a problem. This could be an account that has an expired password but is still attempting to log in.
If you see this, you want to take a closer look at why that user account is failing so many times. It could be an instance of credential misuse. Either question the user or take a closer look at what is running on the host.
Look for Successful Authentication Patterns
If there is nothing obvious, move on to look at the successful authentications. Filter by double-clicking on Authentication Success, and again check out the User (Origin) field. You can also filter out computer or service accounts (those that end with a $). To do this in LogRhythm the following the Lucene filter in the dashboard:
originUser:* AND NOT originUser:*$You may now have something that looks like this (albeit with many more usernames):
This is where things start to get interesting. You may find large counts of successful authentication events for each user. This can be completely normal. Windows generates a large number of authentication events.
A good next step is to review the Windows Event ID counts. In LogRhythm you can use the MPE Rule Name widget to see counts of logs by Windows Event ID. You may also need to filter on the Windows Security log source type:
Here you may find a large count of Windows Event ID 4776 (authentication via NTLM) which could be normal for your environment. Microsoft deprecated NTLM for user authentication, but there are still many applications that use this protocol.
Another one you may see is Windows Event ID 4624 Type 3 (network logon). These could be when a user opens a document from a file share. You may also see large counts of EVID 4768 or 4769 Kerberos authentication events.
Let the hunt begin
We are now looking for something abnormal when compared to our normal user behaviour. For example, one user account which has a higher count of authentication logs than any other user could be abnormal.
So if you are seeing many EVID4776, look at the associated usernames and the source hosts. The same for EVID4264. Compare the counts of these logs and source hosts to that of other users — is it normal? Adjust the search timeframe as necessary.
Frequency of occurrences
Remember that we are looking for user credentials misuse in a script or application. This means looking for repeating patterns that are indicative of automated mechanisms.
A good way of doing this is by using a trend graph, which will show a count of logs over time. If one user stands out, filter your data on that user. Then look at the trend pattern of authentications events. The example below shows what a ‘normal’ trend pattern of user authentication looks like:
The example below shows a pattern of authentication logs which shows an automated mechanism. This could definitely be an instance of credential misuse. If this a user account, you definitely want to take a closer look at the host in question:
So there you have it. Remember that there are many vagaries when it comes to Windows event logging. This means that a large number of authentication events for a user could be normal. This could happen if someone leaves a workstation locked or an RDP session open. But it’s always worth checking.
Conclusion
This article provides two methods for hunting for credential misuse with a SIEM, based on analysing failed and successful authentication trends.
