UEBA/UBA USE

CASES WITH
SCENARIO
EXAMPLES AND
MITRE ATT&CK
MAPPING

BY IZZMIER IZZUDDIN
 USE CASES

1. Detecting abnormal working hours and unusual access patterns to sensitive

data

 T1078: Valid Accounts: Abuse of legitimate credentials to access resources

during unusual hours.
 T1071: Application Layer Protocol: Unusual access patterns can also indicate
C2 communication using common protocols.

Scenario: A financial analyst in a bank is accessing a large volume of sensitive

financial records late at night, which is not typical for their role.

Logs Analysis:

1. Log Data:
o Time: 02:30 AM
o User: Izzmier
o Accessed Resources: Financial Records Database
o IP Address: 192.168.10.23
2. Unusual Activity:
o User Izzmier typically accesses the financial records database
between 09:00 AM to 05:00 PM.
o Accessing a large volume of records during unusual hours indicates
potential misuse or compromise.
3. Response Steps:
o Identify: Confirm the user's usual working hours and typical access
patterns.
o Investigate: Check if the user is on leave or reported any unusual
activity on their account.
o Mitigate: Temporarily lock the account and reset credentials.
o Report: Document the incident and notify the relevant teams for
further action.

2. Detecting logins from unusual geographic locations and sudden changes in

user behaviour

 T1078: Valid Accounts: Compromised accounts used from different geographic

locations.
 T1098: Account Manipulation: Changes in user behaviour might indicate
account changes or compromise.

Scenario: A user account shows logins from two different geographic locations
within a short time span, suggesting possible credential compromise.

Logs Analysis:
 1. Log Data:
o Time: 10:00 AM
o User: Izzmier
o Location 1: Kuala Lumpur, Malaysia
o IP Address: 192.168.20.45
o Time: 10:15 AM
o User: Izzmier
o Location 2: Manchester, UK
o IP Address: 203.0.113.78
2. Unusual Activity:
o Rapid geographic change is unlikely without VPN or similar services.
o Indicates potential credential compromise and unauthorised access.
3. Response Steps:
o Identify: Validate the login events and check for the use of VPNs or
remote access services.
o Investigate: Contact the user to confirm their recent activities and
locations.
o Mitigate: Reset the user's credentials and enforce multifactor
authentication (MFA).
o Report: Document the incident and perform a security audit on the
affected account.

3. Monitoring actions of users with elevated privileges and detecting unusual use
of administrative credentials

 T1078.003: Valid Accounts: Local Accounts: Use of privileged accounts in an

unusual manner.
 T1087: Account Discovery: Detecting discovery activities by privileged
accounts.

Scenario: An IT administrator is accessing and making changes to the HR database,

which they typically do not handle.

Logs Analysis:

1. Log Data:
o Time: 11:30 AM
o User: Izzmier
o Accessed Resources: HR Database
o Changes Made: Added new user accounts, modified employee
records
o IP Address: 192.168.30.67
2. Unusual Activity:
o Izzmier typically manages IT infrastructure, not HR databases.
o Unusual access and changes indicate potential misuse or insider
threat.
3. Response Steps:
 o Identify: Verify the admin's role and usual access privileges.
o Investigate: Check if the changes were authorised and review recent
activities.
o Mitigate: Restrict access to sensitive resources and review admin
account permissions.
o Report: Document the incident and notify HR and IT security teams
for further investigation.

4. Detecting unusual lateral movement within the network

 T1021: Remote Services: Use of remote services for lateral movement.

 T1071: Application Layer Protocol: Anomalous network connections indicative
of lateral movement.

Scenario: A user is accessing multiple servers and databases that they usually do
not interact with, indicating possible lateral movement by an attacker.

Logs Analysis:

1. Log Data:
o Time: 02:00 PM
o User: Izzmier
o Accessed Servers: Server1, Server2, Server3
o IP Address: 192.168.40.89
o Activity: Accessing and querying databases across multiple servers
2. Unusual Activity:
o Izzmier typically accesses only one server related to their department.
o Multiple server access indicates potential lateral movement.
3. Response Steps:
o Identify: Confirm the user's usual access patterns and servers.
o Investigate: Check for any signs of compromised credentials or
access.
o Mitigate: Isolate the user account and monitor network traffic for
further anomalies.
o Report: Document the incident and notify network security teams for
detailed analysis.

5. Detecting unusual behaviour on endpoints and identifying potentially

compromised devices

 T1059: Command and Scripting Interpreter: Unusual scripts or commands

running on endpoints.
 T1082: System Information Discovery: Identifying unusual system discovery
activities.

Scenario: An employee's workstation is running an unusual script that is attempting

to connect to an external IP address.
 Logs Analysis:

1. Log Data:
o Time: 04:00 PM
o User: Izzmier
o Endpoint: WorkstationIzzmier
o Script: SuspiciousScript.ps1
o External IP Address: 203.0.113.99
2. Unusual Activity:
o Izzmier does not typically run scripts or connect to external IPs.
o The script activity suggests potential malware or unauthorised
actions.
3. Response Steps:
o Identify: Validate the script execution and external connections.
o Investigate: Check for any malware infections or unauthorised
changes on the workstation.
o Mitigate: Isolate the workstation, terminate the script, and conduct a
full malware scan.
o Report: Document the incident and notify endpoint security teams for
further investigation.

6. Detecting unusual patterns in network traffic and potential command and

control (C2) communication

 T1071: Application Layer Protocol: Unusual application layer traffic indicative

of C2.
 T1071.004: Application Layer Protocol: DNS: Use of DNS for C2
communication.

Scenario: A spike in outbound traffic to an unfamiliar domain is detected, which

could indicate data exfiltration.

Logs Analysis:

1. Log Data:
o Time: 01:45 PM
o User: IzzmierInternalNetwork
o Unusual Domain: exfil.example.com
o Spike in Traffic: 500MB data transfer
o IP Address: 192.168.50.100
2. Unusual Activity:
o Unfamiliar domain not previously accessed.
o Large volume of outbound traffic indicating potential data exfiltration.
3. Response Steps:
o Identify: Verify the domain and check DNS logs for recent queries.
o Investigate: Analyse traffic patterns and inspect data transferred.
o Mitigate: Block the domain and isolate affected systems.
 o Report: Document the incident and inform network and data
protection teams.

7. Monitoring the behaviour of applications and detecting unauthorised changes

to application settings

 T1496: Resource Hijacking: Unauthorised changes might indicate resource

hijacking.
 T1036: Masquerading: Unauthorised application behaviour might indicate
masquerading activities.

Scenario: An internal application is accessing files and directories it typically

doesn't interact with, suggesting possible exploitation.

Logs Analysis:

1. Log Data:
o Time: 09:30 AM
o Application: InternalApp
o Accessed Files: SensitiveConfig.cfg, AdminDirectory/
o IP Address: 192.168.60.110
2. Unusual Activity:
o Application usually interacts with a specific set of files.
o Accessing sensitive configurations and directories indicates possible
exploitation.
3. Response Steps:
o Identify: Verify usual behaviour of the application and recent
updates.
o Investigate: Review application logs and check for unauthorised
changes.
o Mitigate: Revert unauthorised changes and enhance application
monitoring.
o Report: Document the incident and notify application security teams.

8. Identifying behaviour consistent with malware infection and monitoring for

unusual file downloads and executions

 T1204: User Execution: User execution of malicious files.

 T1059: Command and Scripting Interpreter: Unusual script executions
indicative of malware activity.

Scenario: A user downloads a file from an email, and shortly after, multiple
endpoints show unusual behaviour indicative of ransomware.

Logs Analysis:

1. Log Data:
o Time: 11:00 AM
 o User: Izzmier
o Downloaded File: SuspiciousAttachment.zip
o Affected Endpoints: Workstation1, Workstation2, Server3
o IP Address: 192.168.70.120
2. Unusual Activity:
o Multiple endpoints exhibiting unusual behaviour such as file
encryption.
o Indicates potential ransomware spread initiated by the downloaded
file.
3. Response Steps:
o Identify: Confirm the source of the download and affected endpoints.
o Investigate: Isolate affected systems and check for malware
signatures.
o Mitigate: Implement endpoint isolation, restore from backups, and
update anti-malware defences.
o Report: Document the incident and notify incident response and
recovery teams.

9. Identifying patterns indicative of successful phishing attempts and monitoring

user behaviour post-phishing attack

 T1566: Phishing: Techniques used to execute phishing attacks.

 T1078: Valid Accounts: Compromised accounts resulting from successful
phishing.

Scenario: Several employees report receiving a suspicious email, and subsequent

behaviour suggests a successful phishing attempt

Logs Analysis:

1. Log Data:
o Time: 08:00 AM
o User: Multiple Employees
o Email Subject: "Urgent: Update Your Password"
o Link Clicked: phishing.example.com
o IP Address: Multiple IPs
2. Unusual Activity:
o Employees reported suspicious emails and clicked on phishing links.
o Subsequent unauthorised activities on employee accounts indicate
compromise.
3. Response Steps:
o Identify: Collect reports of suspicious emails and analyse email
headers.
o Investigate: Check for any unauthorised access or changes in user
accounts.
o Mitigate: Reset passwords for affected accounts and conduct
phishing awareness training.
 o Report: Document the incident and notify the IT and security
awareness teams.

10. Detecting multiple failed login attempts and monitoring for successful logins
following multiple failures

 T1110: Brute Force: Multiple failed login attempts indicating brute force
attempts.
 T1078: Valid Accounts: Use of valid accounts following brute force attempts.

Scenario: Multiple failed login attempts are detected on an admin account followed
by a successful login.

Logs Analysis:

1. Log Data:
o Time: 07:00 PM
o User: AdminUser
o Failed Attempts: 10
o Successful Login: Yes
o IP Address: 192.168.80.130
2. Unusual Activity:
o Multiple failed attempts followed by a successful login indicate
potential brute force attack.
3. Response Steps:
o Identify: Verify the failed login attempts and successful login details.
o Investigate: Check for any signs of compromised credentials or
unauthorised activities.
o Mitigate: Reset the admin account credentials and enhance login
security measures.
o Report: Document the incident and notify the security operations
team for further monitoring.

11. Ensuring user activities comply with regulatory requirements and detecting
policy violations

 T1480: Execution Guardrails: Ensuring activities comply with set guardrails.

 T1201: Password Policy Discovery: Detecting attempts to discover password
policies.

Scenario: An audit requires ensuring that access to sensitive financial data

complies with industry regulations.

Logs Analysis:

1. Log Data:
o Time: Throughout audit period
o User: Various financial department employees
 o Accessed Resources: Sensitive financial data
o Actions Taken: Access, modify, and delete operations
o IP Addresses: Internal network IPs
2. Unusual Activity:
o Detecting any deviations from compliance requirements, such as
unauthorised access or modifications.
3. Response Steps:
o Identify: Review user activities related to sensitive financial data.
o Investigate: Check for any access violations or unauthorised
modifications.
o Mitigate: Implement stricter access controls and monitoring for
sensitive data.
o Report: Document the findings and ensure all activities comply with
regulatory requirements.

12. Monitoring for deviations from established security policies and detecting
unauthorised access to restricted areas

 T1078: Valid Accounts: Unauthorised access to restricted areas using valid

accounts.
 T1036: Masquerading: Deviations indicating potential masquerading.

Scenario: An employee uses unauthorised cloud storage services to transfer

company data.

Logs Analysis:

1. Log Data:
o Time: 03:00 PM
o User: Izzmier
o Action: Transferring data to unauthorised cloud storage
o Cloud Service: UnauthorisedCloudService.com
o IP Address: 192.168.90.140
2. Unusual Activity:
o Izzmier typically uses approved cloud storage services.
o Transferring data to an unauthorised cloud service indicates a policy
violation.
3. Response Steps:
o Identify: Verify the user's activities and cloud service usage.
o Investigate: Check for any unauthorised data transfers or access.
o Mitigate: Block access to unauthorised cloud services and enforce
security policies.
o Report: Document the incident and notify the compliance and IT
security teams.

13. Detecting anomalies in data access and usage and identifying deviations from
normal data access patterns
 T1078: Valid Accounts: Unusual data access using valid accounts.
 T1003: Credential Dumping: Deviations might indicate credential dumping
attempts.

Scenario: An employee suddenly accesses a large volume of confidential

documents.

Logs Analysis:

1. Log Data:
o Time: 10:30 AM
o User: Izzmier
o Accessed Resources: Confidential documents
o Volume of Access: 500 documents within an hour
o IP Address: 192.168.100.150
2. Unusual Activity:
o Izzmier typically accesses only a few documents related to their role.
o A sudden spike in accessing a large volume of confidential
documents indicates potential misuse or credential compromise.
3. Response Steps:
o Identify: Validate the user's usual access patterns and recent
activities.
o Investigate: Check for any signs of credential compromise or
unauthorised access.
o Mitigate: Restrict the user's access to sensitive documents and reset
their credentials.
o Report: Document the incident and notify the data protection and IT
security teams for further investigation.