Exercise: Use Case Design

Please take a look at the provided logs and try to complete the following:
• Identify all parts of these logs that could be used as an IOC or IOA
• Identify which parts may be forged and which of them are to be considered authentic
• Try to create 5 to 10 use cases that consist of the following parts:
- Name of the use case
Example: PE_001 - User added to ”Local Administrators” Group
- Problem Statement
What business problem is the use case solving?
Example: Elevated access in Windows Domains is controlled by memberships within
Active Directory and local groups. These groups grant privileges to users, and therefore users
should only be added to them for legitimate purposes within change control. However, it is a well
known attack behaviour for threat actors to add user accounts to local administrator groups to
escalate privileges. Therefore, we need to monitor all changes and ensure any users being
added to local administrator groups are being done within change control and are legitimate.
- Requirements
What is required to make the use case work?
Example: Ensure all Domain Controllers are logging correctly to the SIEM platform.
Ensure all Domain Controllers are providing logs for users being added to local groups (EventID
4732). Ensure these logs are being parsed correctly in the SIEM and clearly shows who made
the change, which account was being added and at what time. Ensure all successful additions
are checked by the Security Operations Team to validate that they are legitimate.
- Actions (Playbook)
Which actions are required by the if your use case triggers? How should it be
investigated and which information needs to be reported? Clearly define the expected
remediation steps.
Example:
Analyst:
1) On alert, check the account which is being added (field “member”) and account which
is adding (field “subject”), as well as the group the account is being added to.
2) Check if there are currently any incidents or change requests open for this user to be
added to this group. If yes, closed the incident as benign. If not, raise a Security Incident for
further investigation to take place.
3) If the action happens out of hours or if there are any other suspicious factors:
immediately revoke group membership and disable both accounts involved until a clear picture
of what has happened can be established.
- Limitations
Are there any known limitations to the use case? Can attackers bypass our detection
using other methods? Is the log source we are receiving events from stable?
Example: Threat actors may be able to raise privileges and perform malicious actions
before a proper response can be initiated by all parties involved.
- Alternative Solutions
Is there any alternative options to creating the use case?
Example:
1) AD Hardening
2) reducing the number of authorized accounts should be able to modify group
memberships.