Indefinite Disabled User Detection

The Challenge: Getting Rid of Disabled User Accounts

What’s worse than the walking dead in real life? Zombie user accounts that suddenly have activity and intend to do harm to your organization.

Figure 1. Zombie User Accounts

I have spoken with several organizations in the past that have experienced insider threats or malicious threat actors that tried to use disabled accounts as a point of entry. Lucky for us, we can use the full potential of LogRhythm to detect this type of activity.

The Solution

Cleaning up disabled accounts can be quite simple. The first thing you need to do is make sure you have a Disabled Users Organizational Unit (OU) in Active Directory (AD). You can do this by right-clicking on the Domain forest (Tetra.local) and selecting New > Organizational Unit.

Figure 2. Create a Disabled Users Organizational Unit in Active Directory

Step 1: Create a Disabled Users Organizational Unit in Active Directory

After you have created the OU, you will need to create a new group called Disabled Users Group.

To create a new group, right-click and select New > Group. Apply the group membership to everyone in the Disabled Users OU. You can see in the below example that I applied the group membership to Rick Grimes.

Figure 3. Create a New User Group Called Disabled Users Group

Step 2: Create a New User Group Called Disabled Users Group

Note: Your organization will have to include this into the termination/off-boarding process to make sure that the user has this membership added to their account once it is disabled, so you can automatically pick up on any log activity.

If you have not done so already, make sure LogRhythm is synced via the Active Directory Domain Manager under the Platform Manager settings.

If your LogRhythm appliance is not on the domain, you can still perform this setup, but you will need to make sure that your Disabled Users are all together in one OU so that you can export to a .csv file later. Exporting to a .csv is as easy as right-clicking in the OU and selecting Export List.

Figure 4. Sync LogRhythm via the Active Directory Domain Manager

Step 3: Sync LogRhythm via the Active Directory Domain Manager

Next, create a new User List in your List Manager by selecting the +.

Select User:

Figure 5. Select User

Step 4A: Select User

Name your list and grant it the appropriate permissions:

Figure 6. Name Your List and Give it Permissions

Step 4B: Name Your List and Give it Permissions

Navigate to the List Items tab on the top and change your Item Type to Active Directory Group. Then select Add Item. If you manually exported your list in AD, select the Import Item button and skip to Step 5.

Figure 7. Navigate to List Items and Change Your Item Type to Active Directory Group

Step 4C: Navigate to list Items and Change Your Item Type to Active Directory Group

On the Active Directory Group Browser, filter by the Group name and select the arrow to select the group you created. You can see all the members in the group in the below section.

Figure 8. Filter by Group Name in the Active Directory Group Browser

Step 4D: Filter by Group Name in the Active Directory Group Browser

You will now see your Active Directory Group has been successfully added to the List Items.

Figure 9. Verify that Your Active Directory Group Has Been Successfully Added to the List Items

Now it’s time to create your AI Engine rule. To detect the disabled user accounts, you want to specify a Primary Criteria for anything related to the disabled user list. Make sure that in the Log Message Filter, there is an “or” statement between your Primary Criteria—or else the rule will not work properly.

Figure 10. Create the AI Engine Rule

Step 5: Create the AI Engine Rule

For your Log Source Criteria, you could leave this set to All Log Sources to detect any activity related to your disabled users. But if you want to be more specific, some good items to add here would be VPN Logs, Wireless Controller Logs, Windows MS Event Security Logs, or any other log source a zombie user might try to access.

Figure 11. Example Rule Block A

Example Rule Block A

Figure 12. Example Rule Block A Continued

Example Rule Block A Continued

Once the rule is established, you will now be able to detect disabled user account activity.

Figure 13. Successfully Monitoring Disabled User Account Activity with LogRhythm

Successfully Monitoring Disabled User Account Activity with LogRhythm

The Value

With just a little bit of setup, you can monitor for disabled “zombie” user account activity via a list. From there, you can extend AI Engine rule capabilities by monitoring disabled user accounts indefinitely.