Lateral movement: Account manipulation

Account manipulation is a technique used by attackers to gain access to critical resources. In this technique, the attacker gets hold of a user account which doesn't have enough privileges to access the required resource or data, and elevates its privileges.

After gaining access to a user account, to obtain additional privileges and perform certain adverse actions, attackers manipulate the account by revising their Group Policy permissions, updating credentials to increase their lifetime, and changing account and authentication settings.

If the attackers compromise an administrative account, or escalate the privileges of a standard user account to perform administrative tasks, they can create new user accounts. They can then assign a set of permissions to these user accounts and use them as backdoor entry points to your network in the future.

How can you detect account manipulations in your network?

All user and system accounts present in your Active Directory and cloud platforms have to be constantly monitored to spot deviant activities. Make sure you check for the below anomalies in your network to detect account manipulation:

• Monitor privileged user account activities constantly. If there is a sudden deviation in the behavior of a privileged user account, it could be a potential threat.
• Check administrator accounts to see if there is any spike in activity. You need to carefully monitor your environment for account creation, modification and password reset activities. Here are a few event IDs you can closely monitor:

Event ID	Description
4722	This is generated for User Account Management events. This event ID is logged when a user account is enabled or disabled.
4724	Event ID 4724 specifies that an account's password was reset.
4738	This event ID specifies if any modification is done to account's permissions.

• While these event IDs can be recorded multiple times in a typical network, you should check if these event IDs are generated at unusual hours. You can also check if any unused user account has been enabled suddenly and its permissions have been modified. You can also look out for password reset attempts on any user account (4724 event ID generated multiple times for the same account) to detect malicious activities in your network.
• Check your Azure AD logs to ensure a second password for Server Principals hasn't been set, as it is possible for an attacker to set a second password to access this platform persistently.
• Also, monitor your AWS logs for trusts as the AWS accounts can establish trust between each other by simply identifying another account by its name.

How to mitigate account manipulations?

Correlate all your network logs to gain adequate knowledge about how an attacker compromises a user account, laterally moves in your network and misuses privileged user accounts to his benefits. Identify user and system accounts that have deviant and anomalous behavior by analyzing all the collected logs.

Once such accounts are identified, reset passwords of compromised user accounts. Harden the authentication mechanisms by employing multi-factor authentication for privileged and administrative user accounts as a security best practice. It can be difficult to spot anomalies in the huge pile of collected logs manually. You can use a security information and event management (SIEM) solution to help you detect malicious activities.

Log360 is a SIEM solution that can collect logs from all devices across your network. It correlates activities that occur in all parts of your network and generates intuitive reports. Log360 allows you to configure real-time alerts for deviant activities and notifies you via SMS and email in case of a threat or an attack. Using Log360, you can configure incident workflows as responses to threats to mitigate them at early stages.

Check out the capabilities of Log360 now.