Identity Intelligence - Auth Event Breakdown
Overview
Introduction
The Identity Intelligence – Authentication Events Breakdown document provides a comprehensive understanding of the Identity Intelligence features in Carbon Black Enterprise EDR and Carbon Black XDR. The document details why exposing the authentication event IDs helps SOC Analysts gain a more complete picture of the attacker's activities on a system. This helps them to identify the attack's scope, helps to determine the attacker's goals, and helps develop effective response strategies.
Audience
This document is intended for Security/IT administrators, product evaluators, architects, developers, and other stakeholders. It provides information about the Identity Intelligence feature of Carbon Black Enterprise EDR and Carbon Black XDR and how it can be used in an organization.
Overview
By correlating authentication events with process events and network connections, SOC Analysts can gain a more complete picture of the attacker's activities on a system. This can help them to identify the attack's scope, determine the attacker's goals, and develop effective response strategies.
Identity Intelligence provides visibility to user-centric events that are indicative of malicious activity and correlates this user data with process and network connection visibility.
Identity Intelligence in Carbon Black XDR gives insight into the activity of user accounts for context, correlation, and analysis. Insights such as log on, log off events, account changes, and privilege escalation and how local domain accounts are being used on the network.
While these activities can be benign, they can also indicate malicious behaviour. such as credential theft, brute-force attacks, password spraying, account lockouts, and other suspicious activity that may indicate an attempted or successful compromise of a system.
VMware Carbon Black XDR goes beyond the endpoint to see more and stop more.
Identity Intelligence Benefits
Identity intelligence gives insight into activity of user account for context, correlation, and analysis. Providing visibility to user-centric events that are indicative of malicious activity.
Identifying compromised accounts
SOC analysts can determine whether the user's account has been used maliciously by monitoring, repeated log on when user is not present, unsuccessful log on attempts and account lock outs. These are all indicators that an account may be comprised.
Identifying suspicious logon/logoff activity
SOC Analysts can detect suspicious logon/logoff activity, such as repeated logon, logoff attempts from the same user account, logoffs that occur immediately after logons, or logon/logoff attempts from unusual or unauthorized sources.
Detecting lateral movement
If an attacker gains access to a system, they may attempt to move laterally within the network by using valid user credentials or newly created privileges on an account.
Identifying unauthorized access attempts
Failed logon attempts could also indicate attempts to gain unauthorized access to a system or network. SOC Analysts can investigate further to determine whether the logon attempts are legitimate or malicious.
Detecting anomalies
If there are unusual or unexpected logoff events occurring on a system, it could be an indication of malicious activity. For example, an attacker may be attempting to cover their tracks by logging off after performing malicious actions.
Identifying privilege escalation attempts
Attackers often try to escalate their privileges on a system to gain access to sensitive data or perform malicious actions. SOC Analysts can detect attempts to start privileged services that could be indicative of a privilege escalation attempt.
Detecting malicious service creation
Attackers may create malicious services to maintain persistence on a compromised system., SOC Analysts can detect the creation of new services and investigate whether they are legitimate or malicious.
Identifying suspicious behaviour
SOC Analysts can identify suspicious behaviour, such as repeated requests to start privileged services from the same user account or requests to start privileged services at unusual times or from unauthorized sources.
Identifying brute-force and password spraying attacks
Repeated failed logon attempts could be an indication of a brute-force and password spraying attacks where an attacker tries multiple password combinations to gain access to a system. SOC Analysts can detect and investigate such attacks.
Identifying insider threats
If a user's account is repeatedly locked out due to failed logon attempts, it could also be an indication of insider threats or intentional sabotage. SOC Analysts can investigate further to determine whether the lockout events are due to intentional or accidental actions by the user.
Event ID Breakdown
Below is a chart of Windows Security Log Events and their Description which are collected by the CBC Windows Sensor and processed and stored by CBC Backend:
|
Windows Event ID |
Description |
|
4624 |
An account was successfully logged on |
|
4625 |
An account failed to log on |
|
4634 |
The account was logged off |
|
4647 |
User initiated logoff |
|
4672 |
Special privileges assigned to new logon (administrator equivalent) |
|
4740 |
A user account was locked out |
Event ID 4624
Event ID 4624 in Windows Security Logs is generated whenever a user successfully logs on to a Windows system.
Why is it important?
Identifying suspicious logon activity: By monitoring Event ID 4624, SOC Analysts can detect suspicious logon activity, such as repeated logon attempts from the same user account, or logon attempts from unusual or unauthorized sources.
Detecting lateral movement: If an attacker gains access to a system, they may attempt to move laterally within the network by using valid user credentials. By monitoring Event ID 4624, SOC Analysts can detect such lateral movement attempts and take appropriate action to stop the attacker.
Event ID to MITRE ATT&CK mapping:
Tactic: Initial Access
Technique: T1078 - Valid Accounts: Event ID 4624 can be used to track valid user accounts that have logged into a system, which can help identify if an attacker has used a legitimate account for initial access.
Tactic: Execution
Technique: T1059 - Command and Scripting Interpreter: Event ID 4624 can help to track the use of command-line interfaces and scripts by logged-in users.
Tactic: Persistence
Technique: T1078 - Valid Accounts: Event ID 4624 can be used to track the creation of new user accounts, which can indicate a persistence mechanism.
Tactic: Privilege Escalation
Technique: T1078 - Valid Accounts: Event ID 4624 can help track privileged user accounts, which could be used to escalate privileges.
Tactic: Defense Evasion
Technique: T1070 - Indicator Removal on Host: Attackers may attempt to delete event logs to evade detection. Monitoring Event ID 4624 can help detect such attempts.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4624 can help track valid user accounts, which can be used for account discovery.
Tactic: Lateral Movement
Technique: T1078 - Valid Accounts: Event ID 4624 can help track valid user accounts, which can be used for lateral movement.
Event ID 4625
Event ID 4625 in Windows Security Logs is generated when a user's logon attempt fails.
Why is it important?
Identifying brute-force attacks: Failed logon attempts could be an indication of a brute-force attack, where an attacker tries multiple password combinations to gain access to a system. By monitoring Event ID 4625, SOC Analysts can detect and investigate such attacks.
Identifying unauthorized access attempts: Failed logon attempts could also indicate attempts to gain unauthorized access to a system or network. SOC Analysts can investigate further to determine whether the logon attempts are legitimate or malicious.
Event ID to MITRE ATT&CK mapping:
Tactic: Credential Access
Technique: T1110 - Brute Force: Event ID 4625 can help track failed logon attempts, which can be an indicator of brute force attacks against user accounts to gain access to credentials.
Tactic: Initial Access
Technique: T1078 - Valid Accounts: Event ID 4625 can help identify failed logon attempts with valid credentials, which can indicate an attacker's attempt to gain initial access using compromised credentials.
Tactic: Defense Evasion
Technique: T1036 - Masquerading: Attackers may use valid user credentials to avoid detection. Event ID 4625 can help identify such attempts by tracking failed logon attempts with valid credentials.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4625 can help track failed logon attempts for multiple user accounts, which can indicate an attacker's attempt to discover valid user accounts on a system.
Tactic: Lateral Movement
Technique: T1078 - Valid Accounts: Event ID 4625 can help track failed logon attempts with valid credentials, which can indicate an attacker's attempt to move laterally across a network.
Event ID 4634:
The Event ID 4634 in Windows Security Logs indicates that a user logged off from the system.
Why is it important?
Detecting anomalies: If there are unusual or unexpected logoff events occurring on a system, it could be an indication of malicious activity. For example, an attacker may be attempting to cover their tracks by logging off after performing malicious actions.
Event ID to MITRE ATT&CK mapping:
Tactic: Defense Evasion
Technique: T1070 - Indicator Removal on Host: Event ID 4634 can be used to track logoff events, which can help detect attempts to evade detection by deleting logon session logs.
Tactic: Privilege Escalation
Technique: T1134 - Access Token Manipulation: Event ID 4634 can be used to track logoff events that occur after access token manipulation, which can indicate attempts to escalate privileges.
Tactic: Persistence
Technique: T1078 - Valid Accounts: Event ID 4634 can be used to track the creation of new user accounts or modification of existing user accounts, which can indicate persistence mechanisms.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4634 can be used to track user accounts that are no longer in use, which can help identify unused or stale accounts that can be exploited by attackers.
Tactic: Collection
Technique: T1005 - Data from Removable Media: Event ID 4634 can be used to track logoff events that occur when a user removes a removable media device, which can indicate attempts to collect data from the device.
Event ID 4647
Event ID 4647 in Windows Security Logs is generated whenever a user or process explicitly logs off from a Windows system.
Why is it important?
Identifying suspicious logoff activity: By monitoring Event ID 4647, SOC Analysts can detect suspicious logoff activity, such as logoffs that occur immediately after logons, repeated logoffs from the same user account, or logoffs that occur at unusual times or from unauthorized sources.
Event ID to MITRE ATT&CK mapping:
Tactic: Defense Evasion
Technique: T1070 - Indicator Removal on Host: Event ID 4647 can be used to track logoff events, which can help detect attempts to evade detection by deleting logon session logs.
Tactic: Privilege Escalation
Technique: T1134 - Access Token Manipulation: Event ID 4647 can be used to track logoff events that occur after access token manipulation, which can indicate attempts to escalate privileges.
Tactic: Persistence
Technique: T1078 - Valid Accounts: Event ID 4647 can be used to track the creation of new user accounts or modification of existing user accounts, which can indicate persistence mechanisms.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4647 can be used to track user accounts that are no longer in use, which can help identify unused or stale accounts that can be exploited by attackers.
Tactic: Collection:
Technique: T1005 - Data from Removable Media: Event ID 4647 can be used to track logoff events that occur when a user removes a removable media device, which can indicate attempts to collect data from the device.
Event ID 4672:
Event ID 4672 in Windows Security Logs is generated when a privileged service is requested to start by a user account or by a system service.
Why is it important?
Identifying privilege escalation attempts: Attackers often try to escalate their privileges on a system to gain access to sensitive data or perform malicious actions. By monitoring Event ID 4672, SOC Analysts can detect attempts to start privileged services that could be indicative of a privilege escalation attempt.
Detecting malicious service creation: Attackers may create malicious services to maintain persistence on a compromised system. By monitoring Event ID 4672, SOC Analysts can detect the creation of new services and investigate whether they are legitimate or malicious.
Identifying suspicious behavior: By monitoring Event ID 4672, SOC Analysts can identify suspicious behavior, such as repeated requests to start privileged services from the same user account or requests to start privileged services at unusual times or from unauthorized sources.
Detecting lateral movement: If an attacker gains access to a system, they may attempt to move laterally within the network by using newly created privileges on an account. By monitoring Event ID 4672, SOC Analysts can detect such lateral movement attempts and take appropriate action to stop the attacker.
Event ID to MITRE ATT&CK mapping:
Tactic: Defense Evasion
Technique: T1070 - Indicator Removal on Host: Event ID 4672 can be used to track the creation of new privileges assigned to a user account, which can help detect attempts to evade detection by assigning new privileges.
Tactic: Privilege Escalation
Technique: T1134 - Access Token Manipulation: Event ID 4672 can be used to track the creation of new privileges assigned to a user account, which can indicate attempts to escalate privileges.
Tactic: Persistence
Technique: T1078 - Valid Accounts: Event ID 4672 can be used to track the creation of new user accounts or modification of existing user accounts, which can indicate persistence mechanisms.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4672 can be used to track user accounts that are no longer in use, which can help identify unused or stale accounts that can be exploited by attackers.
Tactic: Lateral Movement
Technique: T1072 - Windows Admin Shares: Event ID 4672 can be used to track the creation of new privileges assigned to a user account, which can be used to gain access to Windows admin shares and move laterally within a network.
Event ID 4740:
Event ID 4740 in Windows Security Logs is generated when a user account is locked out due to too many failed logon attempts.
Why is it important?
Identifying brute-force and password spraying attacks: Repeated failed logon attempts could be an indication of a brute-force and password spraying attacks where an attacker tries multiple password combinations to gain access to a system. By monitoring Event ID 4740, SOC Analysts can detect and investigate such attacks.
Identifying insider threats: If a user's account is repeatedly locked out due to failed logon attempts, it could also be an indication of insider threats or intentional sabotage. SOC Analysts can investigate further to determine whether the lockout events are due to intentional or accidental actions by the user.
Event ID to MITRE ATT&CK mapping:
Tactic: Defense Evasion
Technique: T1070 - Indicator Removal on Host: Event ID 4740 can be used to track user account lockouts, which can help detect attempts to evade detection by locking out accounts.
Tactic: Credential Access
Technique: T1003 - Credential Dumping: Event ID 4740 can be used to track failed logon attempts due to incorrect passwords, which can indicate attempts to guess or crack passwords.
Tactic: Discovery
Technique: T1087 - Account Discovery: Event ID 4740 can be used to track failed logon attempts, which can help identify accounts that attackers are attempting to access.
Tactic: Lateral Movement
Technique: T1072 - Windows Admin Shares: Event ID 4740 can be used to track failed logon attempts, which can be used to gain access to Windows admin shares and move laterally within a network.
Tactic: Collection
Technique: T1005 - Data from Removable Media: Event ID 4740 can be used to track failed logon attempts that occur when a user connects a removable media device, which can indicate attempts to collect data from the device.
Summary and Additional Resources
Conclusion
Monitoring authentication event IDs is essential for the SOC because they provide critical information about user activity enabling the SOC to proactively threat hunt and detect potential threats to a system before they can cause significant harm.
To learn more about the product, please refer to our TestDrive experience
Additional Resources
For more information about Carbon Black XDR, explore the Mastering XDR activity path. The activity path provides step-by-step guidance to help you increase your understanding of Carbon Black XDR, including articles, videos, and labs. We also have the following areas for additional documentation and support:
- VMware Docs – Product documentation, OER guides.
- Uex – Carbon Black User exchange and community pages
- Developer Network – Details on our Open APIs, integrations, and platform SDKs.
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2023/03/06 |
|
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware Security Business Unit Technical Marketing at sbu_tech_content_feedback@vmware.com