7 IT & Security

, ,

Monitoring Privileged logins in Virtual machines – Sentinel

  1. Introduction
    1. NIST SP 800-53 Controls
    2. ISO/IEC 27001 Controls
      1. Mitre case scenario – Create or modify system process
      2. Mitre case scenario – Abuse elevation control mechanism
      3. Mitre Mitigations

Introduction

Detecting anomalies in administrator accounts, it’s something worth checking from time to time

The Sentinel query is designed to analyse security events related to special privileges granted to user accounts within the last 30 days.

Tracking and analysing which special privileges have been assigned to user accounts, identifying potential security risks or policy violations and correlating with more events is always useful

Mitre scenarios

NIST & ISO27001 Controls

NIST SP 800-53 Controls

The query supports compliance with multiple NIST SP 800-53 controls, particularly in the areas of Access Control and Audit and Accountability:

  • AC-6 (Least Privilege): Ensuring that users only have the necessary privileges required for their roles, and monitoring these, can help in enforcing this control.
  • AU-2 (Event Auditing): Implementing adequate auditing mechanisms that collect, monitor, and analyze events that could affect the security of the environment.
  • AU-12 (Audit Generation): The query helps in generating audit records, which are necessary for tracking unauthorized access or anomaly activities related to privileged accounts.

ISO/IEC 27001 Controls

  • A.9 Access Control:
    • A.9.1.2 Access to Networks and Network Services: Monitoring and controlling access privileges ensures that access is restricted appropriately based on roles.
    • A.9.2.3 Management of Privileged Access Rights: The management of special access rights is a direct application of what the query does by identifying and analysing the use of special privileges.
  • A.12 Operations Security:
    • A.12.4 Logging and Monitoring: The deployment of logging and monitoring mechanisms to record user activities, exceptions, faults, and information security events is essential for effective ISMS.
    • A.12.7 Information Systems Audit Considerations: The audit logs generated by this type of query can be crucial for audits that require examination of administrative activities and privileged operations.

Mitre case scenario – Create or modify system process

Create or Modify System Process –

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.

Mitre case scenario – Abuse elevation control mechanism

Adversaries may circumvent mechanisms designed to control, elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

Mitre Mitigations

  • M1047 – Audit: Utilize auditing tools to detect and correct opportunities for privilege and service abuse on enterprise systems.
  • M1040 – Behavior Prevention on Endpoint: On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent applications from writing signed, vulnerable drivers to the system. On both Windows 10 and 11, use the Microsoft Vulnerable Driver Blocklist to harden against third-party drivers.
  • M1045 – Code Signing: Enforce the registration and execution of only legitimately signed service drivers where possible.
  • M1033 – Limit Software Installation: Restrict software installations to trusted repositories and be cautious of orphaned software packages.
  • M1028 – Operating System Configuration: Ensure Driver Signature Enforcement is enabled to prevent unsigned drivers from being installed.
  • M1026 – Privileged Account Management: Manage the creation, modification, use, and permissions of privileged accounts, including SYSTEM and root accounts.
  • M1022 – Restrict File and Directory Permissions: Limit read/write access to system-level process files to only select privileged users with a legitimate need to manage system services.
  • M1054 – Software Configuration: Consider enforcing the use of container services in rootless mode where possible, to reduce risks of privilege escalation or malicious effects on the host.
  • M1018 – User Account Management: Limit privileges of user accounts and groups so that only authorized administrators can manage system-level process changes and service configurations.

  • M1047 – Audit: Check for common User Account Control (UAC) bypass weaknesses on Windows systems to understand the risk posture and address issues appropriately.
  • M1038 – Execution Prevention: Configure system settings to only allow applications from legitimate repositories and prevent running unsigned applications to mitigate risk.
  • M1028 – Operating System Configuration: Avoid setting ‘setuid’ or ‘setgid’ bits on applications known for vulnerabilities or shell escapes to minimize potential damage if compromised. Also, limit the number of programs with these settings and ensure the sudo ‘tty_tickets’ option is enabled to prevent credential leakage across tty sessions.
  • M1026 – Privileged Account Management: Remove users from the local administrator group and require a password for any action listed in the sudoers file, with ‘timestamp_timeout’ set to 0 to necessitate password input every time sudo is used.
  • M1022 – Restrict File and Directory Permissions: Edit the sudoers file strictly to always require passwords and prevent spawning of risky processes with higher privileges.
  • M1051 – Update Software: Regularly update software to reduce the risk of exploitation.
  • M1052 – User Account Control: Use the highest UAC enforcement level despite existing bypass techniques and address these by mitigating risks such as DLL Search Order Hijacking.
  • M1018 – User Account Management: Limit privileges of cloud accounts specifically around role assumption, creation, and impersonation to necessary actions only. Consider using manual approval for temporary privilege elevation if just-in-time access is enabled.

Sentinel query 

SecurityEvent
| where TimeGenerated > ago (30d)
| project TimeGenerated, EventID, Account, AccountType, PrivilegeList, Computer
| where EventID == "4672"
| where Account != "NT AUTHORITY\\SYSTEM" and Account !has "Window Manager"
| where AccountType == "User"
//The privilege list is stored in a string of text that we need to split
| extend Privs=extract_all(@"Se(.*?)Privilege", PrivilegeList)
//Once we retrieve the privileges from the string of text we can recreate the proper naming
| mv-expand Privs
| extend Privilege=strcat('Se', Privs, 'Privilege')
| project TimeGenerated, Account, Computer, Privilege
| summarize ['List of Privileges']=make_set(Privilege) by Computer, Account
| sort by Computer asc