Anomalous User Name in Active Directory
Goal
Looks for any unusual user name in the Active Directory logs. An unusual username is one way of detecting credentialed access by means of a new or dormant user account.
A user account that is normally inactive, because the user has left the organisation, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
Description
This is a simple statistical method that computes the number of days since the last activity from each user. This makes it very efficient and scalable.
Characteristics
Data involved
Any event from the Active Directory with a username associated.
Alert Generation
We will generate an alert always that there is activity from a user that has been inactive for more than a week. We will generate two different types of alerts:
If the inactive user has spent less than 14 days without activity: Informative alert
If the inactive user has spent more than 14 days without activity: High alert
Raw outputs of the model
The difference in days with the last activity.
Whether it is considered an anomaly or not (boolean value).
Last updated