UBADemoScript1

Summary:

The document provides a comprehensive overview of how User Behavior Analytics (UBA) can be used in an IT environment to detect and analyze problematic activities. UBA is described as "behavior based," which means it analyzes the actions and patterns of users and machines to identify anomalies or suspicious behavior. This analysis helps in identifying potential security breaches, unauthorized access attempts, and other malicious activities before they escalate into significant incidents. ### Key Points from the Document: 1. **Spike in Failed Web Server Requests**: - Check web server logs for an unusual increase in failed requests. - This might indicate a vulnerability being exploited (e.g., Cross-Site Scripting (XSS) attack). 2. **Potential XSS Attack on Web Server**: - Look for signs of abnormal request patterns indicative of XSS attacks. 3. **Multiple Failed Web Server Requests Followed by Success**: - Monitor failed and then successful requests from a user. - This might indicate attempted privilege escalation or other malicious activities. 4. **User Added by External IP Address**: - Investigate changes in permissions via Powerbroker that suggest unauthorized access or the addition of rogue users. 5. **Suspicious File Executed on Web Server**: - Look for evidence of abnormal file executions, which might indicate malware deployment or execution. 6. **Powerbroker - Access to Privileges of Another User (SUDO)**: - Check for attempts to escalate privileges using Powerbroker. - This indicates potential malicious activity. 7. **Powerbroker - Self Permission Change**: - Investigate changes in user permissions where the change is made by the user themselves. - Might suggest self-privilege escalation. 8. **Powerbroker - Log Modification**: - Monitor modifications to system logs via Powerbroker that might indicate tampering or hiding malicious activities. ### Demonstration Scripts: 1. **Investigating a Spike in Failed Web Server Requests**: - Customize date ranges and view detailed reports in the investigation workbench to confirm suspicious activity. 2. **Detecting Potential XSS Attacks**: - Use UBA capabilities to analyze abnormal request patterns and identify potential XSS attacks. 3. **Monitoring Multiple Failed Web Server Requests Followed by Success**: - Investigate failed and successful requests from a user, looking for signs of malicious activity. 4. **Analyzing User Added by External IP Address**: - Use Powerbroker to investigate changes in permissions and confirm unauthorized access attempts. 5. **Investigating Suspicious File Execution on Web Server**: - Review file execution logs and analyze the behavior of suspicious files. 6. **Checking Powerbroker for Access to Privileges**: - Use Powerbroker to review attempts at privilege escalation and confirm if they are legitimate or malicious. ### Additional Scenarios: 1. **RARE WINDOWS PROCESS DETECTED (svhost.exe instead of svchost.exe)**: - Identify anomalous Windows processes, especially when they are located in unusual directories. 2. **ANOMALOUS FILE HASH CHANGE (Registry files monitored by Tripwire)**: - Detect changes to critical Registry files that might indicate tampering or unauthorized modifications. 3. **POTENTIAL LATERAL MOVEMENT (Data movement from blynch_pc to another user's PC)**: - Monitor data movements between systems and identify anomalous patterns of lateral movement. 4. **VISIT TO ALGORITHMICALLY GENERATED DOMAINS**: - Analyze domains generated algorithmically, which might indicate potential data exfiltration or malicious activities. 5. **DATA EXFILTRATED TO CNC SERVER**: - Review high-volume data uploads to CNC servers from specific systems and identify unauthorized data transfers. ### Accessing Violations through UBA Interface: - Log in as an admin and navigate to the High Risk Entities dashboard. - View detailed reports and graphical representations of suspicious activities. ### Conclusion: The document demonstrates how UBA can be a powerful tool in detecting potential security violations within an IT environment. By analyzing user behavior, actions, and patterns, UBA helps identify anomalies that might indicate malicious activities, unauthorized access attempts, or other security breaches. The provided scenarios and steps offer actionable insights for analysts to investigate suspicious activities promptly and effectively.

Details:

This document provides an overview and demonstration scripts for User Behavior Analytics (UBA) version 5.0, which is confidential information of Hewlett Packard Enterprise Company or its affiliates. The purpose of the document is to demonstrate various use cases related to user behavior analysis within a controlled environment using specific scenarios such as Kevin Milton's potential flight risk in job search and resource usage patterns by different users like alechuga_pc and blynch_pc. The demonstration scripts include: 1. A scenario involving Kevin Milton, who may be at risk of potential flight behavior during job searches. This uses the Websense resource with a rule-based UBA technology to analyze his online activities. 2. Another scenario involves SVC_DB_BACKUP and MYBOT, which are high privileged accounts related to database backup operations and automation tasks respectively. These scenarios showcase how UBA detects unusual behavior in such critical account usages. 3. The resource scenario for alechuga_pc focuses on an individual user's computer usage patterns, while the network address scenario for blynch_pc explores potential anomalies in networking activities. 4. Recommendations are given regarding browser preferences (Firefox and Chrome over Internet Explorer), addressing issues with the Investigation Workbench that affect usability across different browsers. 5. The document ends with a note on copyright information and confidentiality obligations, emphasizing the importance of maintaining discretion when handling this sensitive material. This document is intended for evaluation purposes only, to showcase how HPE's UBA technology can be applied in real-world scenarios to improve security measures against potential threats and anomalies related to user behavior within an organization. This document outlines various user behavior analytics (UBA) use cases, specifically focusing on rule-based UBA technology. The examples include detecting anomalous download activity using SharePoint files within a peer group, identifying high numbers of failed USB attempts with Symantec Endpoint Protection, tracking spikes in upload activities to personal storage sites via PaloAlto, and monitoring cross-channel data egress through both Symantec Endpoint and IronportEmail systems. The UBA system allows for the comparison of user behavior against a defined baseline or peers within their group. This is typically based on attributes such as job code, title, manager, location, etc., which are used to create peer groups dynamically. These groups help in determining whether an individual's actions are normal compared to others performing similar roles and can thus identify anomalies early. The UBA interface has a dashboard that shows high-risk entities, including users, uncorrelated accounts, resources, and network addresses. It allows for custom filtering based on percentile of violators by using filters like 'For example, I want to only see the violators in the Data Services group.' Specific investigations can be initiated from this view, such as looking at a user's associated objects and detailed information about them. Detailed information includes HR data combined with IT data: whether an employee is active or has given notice, full-time vs part-time status, transfer history, performance review details, and more. This contextual data helps in understanding the behavior profile of an individual, including their risk score and comparison to peers. The provided document details various suspicious activities detected in Kevin Milton's behavior through User Behavior Analytics (UBA) tools at UBA. These include excessive job search activity online, downloading an unusually high number of files compared to peers, failed USB attempts for data transfer, and a spike in emails sent to self which appears to be used as another method of data exfiltration due to previous failed attempts involving writing files to a USB drive. The document also mentions that Kevin Milton's behavior is flagged on the "Bad Performance Review" watchlist from HR systems, suggesting possible dissatisfaction or intent to steal confidential information before leaving the company. The provided text outlines a process for investigating user behavior within an organization, focusing on the detection of potentially suspicious or malicious activities by an individual named Kevin Milton. The investigation is conducted using the HPE Confidential User Behavior Analytics (UBA) tool. Here's a summary of the key points and actions taken in this process: 1. **Launch Investigation Workbench**: This initializes the UBA tool for conducting the investigation. 2. **Add To White List or Retain Existing Risk Score**: Depending on whether an action is considered exceptional (exception), approved, non-concerned, duplicate, still being investigated, or confirmed as a violation, the user's risk score may be reduced to zero if it's an exception or remains unchanged otherwise. 3. **Create Case**: A case file is created for Kevin Milton based on the findings of the investigation. 4. **Reviewing Activity and Documents**:

• **View Activity Accounts**: This involves identifying all accounts used by Kevin, which are attributed back to him automatically by UBA.

• **Investigate Emails and Attachments**: Specifically reviewing emails sent by Kevin and any detected exfiltrated attachments is crucial for understanding the scope of his actions.

5. **Compare with Peers**: Conducting a side-by-side comparison between Kevin Milton and other users, particularly those in the same department and role, helps identify if his behavior deviates significantly from normal peer activity. This involves:

• Comparing email attachments sent by Kevin to those of peers using UBA's tools for comparative analysis.

• Initiating a new investigation for potential peers (like John Keller) who have also engaged in similar activities.

6. **Use Advanced Search and Anomaly Detection**: Utilizing advanced search features within the UBA interface, along with behavior-based, peer-based, identity-based, and rule-based anomaly detection tools to pinpoint anomalies that indicate possible compromise or unusual activity patterns specific to Kevin Milton's profile. 7. **Technology Used**: The investigation leverages several technologies including:

• **Behavior Based**: To identify deviations from normal behavior for the user (Kevin Milton).

• **Peer Based**: To detect if Kevin’s actions are not in line with similar peers based on role, department, or title.

• **Identity Based**: To contextualize IT activity and events using non-IT information about the user.

• **Rule Based**: To identify known suspicious or malicious activities as per defined rules within the organization.

This comprehensive process is designed to not only detect but also investigate potential security incidents, providing a detailed overview of actions taken in response to anomalous behavior identified by UBA for Kevin Milton. The text provided outlines the steps and actions taken within the UBA (User Behavior Analytics) system for detecting potential security threats or anomalies in an organization's network environment. Specifically, it details a series of procedures aimed at identifying unusual activities associated with specific accounts and resources, such as "SVC_DB_BACKUP" and "192.168.10.12." Here is a summarized breakdown of the process: 1. **Identification of Unusual Activity:** The system detects an unusual pattern in activity related to the "svc_db_backup" account, particularly focusing on events that indicate interactive logins and execution of rare database commands by a service account (SVC_DB_BACKUP). These activities are flagged as potentially risky because:

• A service account is performing actions typically associated with user accounts, specifically logging in interactively.

• The login occurs from an IP address never seen before, which suggests the presence of unauthorized access or potential security breach.

• Execution of commands such as "select * from customer_master" and "delete from audit_db_logs," which are not typical for a service account and could indicate attempts at data manipulation or hiding activities.

2. **Investigation Initiation:** The detected anomalies trigger an immediate investigation by launching the UBA's workbench tool, designed to further analyze and understand the nature of these activities more closely. This includes checking specific event types associated with network logins (type 2 for interactive login) and reviewing detailed activity logs related to the account's usage patterns. 3. **Network Address Analysis:** The IP address linked to the unusual activity is examined in detail, comparing its normal versus anomalous activities. In this case, it is noted that while most of the network traffic appears typical, there are specific events indicating unauthorized actions or data exfiltration (malicious destinations reached via FTP). 4. **User Attribution:** Using advanced analytics within the UBA system, the activity linked to SVC_DB_BACKUP can be traced back to a specific user, in this case, John Keller. This allows for direct targeting of further investigation and possible remediation. 5. **Compliance and Reporting:** The detailed report generated from this process serves as evidence for compliance with security protocols and regulations. It also provides insights into the effectiveness of UBA's policies and systems in detecting and responding to potential threats within the organization’s network. This summary highlights how a combination of rule-based detection, behavioral analysis, and user attribution can be used effectively by cybersecurity teams to monitor and mitigate potential security risks associated with high privileged accounts and correlated activities across an enterprise network. The document outlines various scenarios involving different types of activities and violations detected by UBA (User Behavior Analytics) in several contexts, including HPE (High Privileged Account), NM-ROOT click, resource scenario - alechuga_pc, and other related aspects. 1. **HPE Scenario**: A High Privileged Account (NM-ROOT) was involved in unusual activities such as executing three commands that led to the creation of a new account named 'mybot'. This usage triggers UBA check "First use of Account to perform Transaction", indicating rare activity. The account modification and ownership on the server further signal potential security threats.

• **Actions**: Self-permission elevation by 'mybot' involves giving itself root permission to run a Python script named 'myRootkit.py' and altering file permissions for execution, which is considered a violation. Detection of large file transfers to malicious FTP sites also raises concerns about potential data theft or tampering.

• **Further Investigation**: IP address 10.34.76.12 was identified as used by NM-ROOT; further investigation revealed that two accounts (NM-ROOT and MYBOT) have accessed this network, pointing to suspicious activity related to the account.

2. **Resource Scenario - alechuga_pc**: This scenario involves a user with access to healthcare data in a hospital setting.

• **Actions**: The user accessed patient's medical records (Healthcare Data), potentially engaged in lateral movement using HostIDS, and connected to malicious URLs through the Websense proxy. These actions indicated potential unauthorized access and risky behaviors that could lead to privacy breaches or security threats.

3. **General Observations**: Throughout these scenarios, UBA technology was applied effectively to detect unusual activities such as exceeding baseline SSH command counts (anomalous behavior), clearing audit logs, and excessive data transfer to malicious sites, which are critical in identifying potential cyber-attacks or insider threats. 4. **Setup and Login**: The document outlines the initial setup for accessing the UBA interface and navigating through different functionalities like dashboard views, risk entity display, and investigation workbenches to review policies violated by specific accounts. The document serves as a comprehensive guide on how UBA can be used in various scenarios to monitor and detect anomalous activities across multiple resources and systems, highlighting potential security threats that require immediate attention and further investigation. This document outlines a series of user behavior analytics (UBA) scenarios using HPE Confidential software to detect and analyze problematic activities in an IT environment. The scenarios cover various resources such as servers, data sources, network addresses, and specific devices like PCs. The UBA technology used here is described as "behavior based," which means it analyzes actions and patterns of users and machines to identify anomalies or suspicious behavior. The demonstration scripts include detailed steps on how to investigate each scenario, including: 1. **Spike in Failed Web Server Requests**: This involves checking web server logs for an unusual increase in failed requests, potentially indicating a vulnerability being exploited (XSS attack). 2. **Potential XSS Attack on Web Server**: Similar to the first scenario but specifically looking for signs of Cross-Site Scripting (XSS) attacks based on abnormal request patterns. 3. **Multiple Failed Web Server Requests Followed by Success**: This involves monitoring failed and then successful requests from a user, which might indicate an attempted privilege escalation or other malicious activity. 4. **User Added by External IP Address**: Investigate changes in permissions via Powerbroker that could suggest unauthorized access or the addition of rogue users. 5. **Suspicious File Executed on Web Server**: Look for evidence of abnormal file executions, which might indicate malware deployment or execution. 6. **Powerbroker - Access to Privileges of Another User (SUDO)**: Check for attempts to escalate privileges using Powerbroker, another indicator of potential malicious activity. 7. **Powerbroker - Self Permission Change**: Investigate changes in user permissions where the change is made by the user themselves, which could be a sign of self-privilege escalation. 8. **Powerbroker - Log Modification**: Monitor modifications to system logs via Powerbroker, which might suggest tampering or hiding malicious activities. The scripts provide specific actions and talking points for each scenario, such as clicking on the dashboard, customizing date ranges, and viewing detailed reports in the investigation workbench to confirm suspicious activities. This approach aims to empower analysts with actionable insights from UBA technology that can help identify potential security breaches or unauthorized access attempts before they escalate into significant incidents. This document outlines a user behavior analytics (UBA) investigation of a high-risk network address, specifically IP 62.210.136.206, which showed significant spikes in failed web server requests followed by suspicious file execution and potential cross-site scripting (XSS) attacks. The analysis revealed that an unassociated external IP address was used to add a user named "my_root" with sudo/root access, indicating a possible account misuse and privilege escalation attempt. Further investigation into the "my_root" account led to the discovery of attempts to modify log files, suggesting attempts at covering tracks. The analysis tool UBA provided evidence for these activities within its policies on high-risk unassociated accounts and suspicious file executions. The document outlines a demonstration of User Behavior Analytics (UBA) capabilities in detecting potential security violations on a resource named "blynch_pc." The UBA system identifies four types of anomalies using different technologies and resources: 1. **RARE WINDOWS PROCESS DETECTED**: This involves identifying an anomalous Windows process, specifically svhost.exe instead of the standard svchost.exe. The directory for this process is also unusual (C:\Systems32\Windows\), suggesting that it might be malicious in appearance but not function. 2. **ANOMALOUS FILE HASH CHANGE**: UBA identifies changes to critical Registry files monitored by Tripwire, indicating potential tampering or unauthorized modifications. 3. **POTENTIAL LATERAL MOVEMENT**: Through HostIDS, the system detects lateral movement of data from blynch_pc to another user's PC (LMueller_pc), which is considered anomalous as it does not align with typical communication patterns in the environment. 4. **VISIT TO ALGORITHMICALLY GENERATED DOMAINS**: The UBA system identifies algorithmic domain generation for servers, such as s3t8.com; f3q8.com; g9m8.com, which are indicative of potential data exfiltration or malicious activity. 5. **DATA EXFILTRATED TO CNC SERVER**: Lastly, it is noted that there has been a high volume of data uploaded to a command and control (CNC) server from blynch_pc, suggesting possible unauthorized data transfer. The document provides detailed steps on how to access these violations through the UBA interface, with instructions for logging in as an admin and navigating to specific views like High Risk Entities dashboard. Each type of violation is accompanied by screenshots or graphical representations that illustrate key details such as process names, file hashes, IP addresses, and domain names involved.