Lateral movement:
Account manipulation
Content in this page
- What is account manipulation?
- About the attack
- Attack flow
- Detection mechanisms
- Detect and mitigate account manipulation with Log360
What is account manipulation?
Account manipulation is one of the commonly used lateral movement techniques. In this technique, the attacker compromises an account in the victim's network, then performs various actions, such as modifying credentials and changing permissions, to lurk inside the network undetected. This helps the attacker maintain their control over the compromised account.
About the attack:
The ultimate aim of the account manipulation technique is to gain and sustain access to an account with administrative permissions. Attackers can either attempt to gain access to an account with administrative privileges or compromise an account to elevate privileges.
To execute account manipulation, adversaries try different methods, such as brute-force, exploiting vulnerabilities in software to gain access to user accounts, and social engineering to trick users into divulging login credentials. Such methods allow attackers to gain initial access to a user account. Once an attacker takes over a user account, they may then change the Group Policy permissions or authentication settings to obtain higher privileges.
Attack flow:
The steps of the account manipulation technique are as follows:
- 1 Gathering information about the target, such as the type of account they have, their email address or username, and the password policy they follow.
- 2 Sending a phishing email or message to the target to trick them into clicking a malicious link or giving up their credentials.
- 3 Attempting to guess the target's password or crack it using brute-force if phishing does not work.
- 4 Taking over the account to perform malicious activities, like stealing sensitive information, modifying account settings, or using that account to gain further privileges.
- 5 Modifying the account recovery options or creating a backdoor to ensure continued access in case the attack is detected and blocked.
- 6 Gaining access to accounts with higher privileges or adding compromised accounts to an administrative group.
- 7 Deleting activity logs or modifying system settings to avoid detection.
Detection mechanism:
To detect potential account manipulation, you have to monitor users closely for any suspicious activity.
The following are some ways you can detect account manipulation:
- 1 Monitor privileged user accounts constantly. Look for any deviations in the behavior of privileged users to identify potential attempts at account manipulation.
- 2 Monitor the environment for account creation, account modification, or password reset activities. These are a few event IDs you should closely monitor:
- Event ID 4722: This event is logged when a user or computer object is enabled or disabled.
- Event ID 4724: This event is logged when an account's password is reset.
- Event ID 4738: This event is logged when a user is given access to a resource, such as a file or a folder. Unauthorized access could indicate that an attacker is attempting to gain access to sensitive information.
Enhance your security posture by leveraging the capabilities of Log360
Let our experts evaluate your security requirements and demonstrate how Log360 can help satisfy them.
Having trouble detecting account manipulation?
Learn how Log360 can help combat such attacks with:
- Correlation of network events
- Real-time network monitoring
- Out-of-the-box reports on suspicious events
Detect and mitigate account manipulation with Log360
Learn how to spot and mitigate account manipulation.
- Detection through correlation
- Mitigation through workflows
- Investigation through reports
Detection through correlation
In addition to the event IDs mentioned above, you can use Log360's real-time correlation engine to detect account manipulation sub-techniques instantly. The engine notifies you over email and SMS upon the occurrence of this attack technique.
One widely followed method of detecting account manipulation involves correlating and monitoring event IDs 4722, 4724, and 4738. Log360's prebuilt correlation rules are based on the MITRE ATT&CK® threat modeling framework's way of detecting account manipulation (ID T1098).
To enable the correlation rules for detecting the account manipulation technique:
1. Go to Log360 > SIEM > Correlation > Manage Rule > Create Correlation Rule.
2. Select Mitre ATT&CK TTP(S) from the drop-down in the top-left corner.
3. Under Persistence, click Account Manipulation. Select one or all of the correlation actions that are relevant to your industry and enterprise, then enable them.
To find the persistence attack data:
1. Go to Log360 > SIEM > Reports.
2. Select Mitre ATT&CK from the drop-down in the top-left corner.
3. To the right of the drop-down, click Persistence.
4. Select the reports under Account Manipulation to monitor the attack data.
Mitigation through workflows
Log360's incident management console comes with automated workflows that are triggered whenever a correlation alert occurs.
To mitigate account manipulation, you should:
- Disable the compromised user account temporarily.
- Enable multi-factor authentication to create an added layer of security.
- Implement the principle of least privilege to ensure that low privilege accounts do not have access to critical resources.
- Segment the network to limit access to critical servers and domain controllers.
- Ensure that critical servers are configured correctly to limit access from protocols and services.
- Ensure that privileged administration accounts are not used for day-to-day activities to avoid exposure to potential adversaries.
To mitigate account manipulation automatically, you can associate workflows with the account manipulation correlation rules that you have enabled.
Additionally, you can get alerted when account manipulation occurs in your network. Check out how to set up an alert profile and trigger a workflow for detecting and mitigating account manipulation.
Investigation through reports
Log360 also provides out-of-the-box reports for any suspicious events so you can further investigate and analyze attacks.
To view these reports:
1. Go to Log360 > SIEM > Reports.
2. Select Mitre ATT&CK from the drop-down in the top-left corner.
3. Click Persistence > Account Manipulation.
4. Select the Active Directory User Backdoors, Judgement Panda Exfil Activity, and Password Change on Directory Service Restore Mode (DSRM) Account reports.
