26. UserAccounts
The UserAccounts module analyses the local user database. It checks for
suspicious user names, suspicious members in the Administrators group,
activated guest accounts, user accounts created on Sundays and reports recently
logged in users. It applies the hot time frame parameter (-f) if given
and reports suspicious account activity on a given set of dates.
26.1. Samples
Jun Oct 25 21:01:51 server44.local.net/10.216.2.186
THOR: Notice: MODULE: UserAccounts
MESSAGE: Recently logged in
USER: sa_backup
FULL_NAME: sa_backup
PRIV: 2
LAST_LOGON: 24/10/2017 16:08:22
BADPWCOUNT: 0
SERVER: \*
NUM_LOGONS: 9
PASS_AGE: 105.00 days
ACTIVE: True
NO_EXPIRE: True
LOCKED: False
Oct 23 15:27:12 server44.local.net/10.216.2.186
THOR: Warning: MODULE: UserAccounts
MESSAGE: Last password change of user happened in relevant time frame
USER: Administrator
FULL_NAME:
PRIV: 2
LAST_LOGON: 23/10/2017 08:03:15
BADPWCOUNT: 0
SERVER: \*
NUM_LOGONS: 14
PASS_AGE: 3.00 days
ACTIVE: True
NO_EXPIRE: True
LOCKED: False
SCORE: 75
Aug 28 12:27:29 PROMETHEUS/10.0.2.4 THOR: Warning: MODULE: UserAccounts
MESSAGE: Suspicious user name in Local Administrators group NAME: Guest SCORE: 75
Sep 8 12:32:39 PROMETHEUS/10.0.2.4 THOR: Warning: MODULE: UserAccounts
MESSAGE: Suspicious user name KEYWORD: (^[0-9a-z]{1,3}$|^test$|^sa$|hack|exploit|nopw|temp)
USER: neo FULL_NAME: PRIV: 2 LAST_LOGON: 30/08/2017 12:43:41 BADPWCOUNT: 0 SERVER: \*
NUM_LOGONS: 352 PASS_AGE: 930.00 days ACTIVE: True NO_EXPIRE: True LOCKED: False SCORE: 75
26.2. Typical False Positives
Organizations that use short user names (e.g.
ska,mba,jmi)User creation on a Sunday creates warning messages in regions in which a Sunday is a normal working day (e.g. Israel)
26.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
|---|---|---|---|---|
MESSAGE |
Is the user name suspicious but plausible in the organization? |
Yes |
Good |
Medium |
MESSAGE |
Is the Guest account active although it shouldn't be? |
Yes |
Bad |
High |
MESSAGE |
Has the Guest account be added to the local Administrators? |
Yes |
Bad |
High |
MESSAGE |
Does the account activity happen in the given hot time frame? |
Yes |
Bad |
Medium |