icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Group Management Events Report

by Stephanie Dunn
December 7, 2016

Monitoring group membership changes is one of the most important aspects of any risk management program. These changes can be the result of routine internal position changes, temporary role changes, or employee turnover, which can lead to excessive privileges and increase overall risks for the organization. Attackers frequently target these lapses in an attempt to gain access to critical systems and data. This report can assist organizations in monitoring group membership changes, which can be useful in determining the effectiveness of existing security policies in place.

Many organizations routinely place their focus on securing domain groups and accounts, and not enough on monitoring local groups and guest accounts. Local groups and accounts can provide an entry point for attackers to gain access to the network, launch malware, and devastate critical systems. Failure to monitor these group membership changes can also lead to unauthorized access by malicious insiders in an attempt to modify or leak confidential information. 

Using the active scanning and host data sensors, Tenable SecurityCenter Continuous View (CV) can provide organizations with actionable information on group membership changes across the enterprise. By monitoring both local and domain group changes, organizations can identify and remediate potential security gaps before critical systems and data are compromised. 

This report uses Tenable Nessus to actively scan and enumerate group membership information from network hosts. Chapters within this report will highlight group membership changes and events from both Windows, macOS, Linux, and Unix-based platforms. Hosts are scanned using a combination of Server Message Block (SMB) enumeration, Lightweight Directory Access Protocol (LDAP) search queries, and Active Directory Service Interfaces (ADSI), which will provide useful information on group memberships. Event data from both local and domain-based groups is included and provides detailed information on group changes, user membership changes, and other related group membership activity. Using this report, organizations will be able to quickly mitigate risks associated with unauthorized group membership changes, and ensure least privilege practices.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:

  • SecurityCenter 5.4.0
  • Nessus 6.9.1
  • LCE 4.8.1
  • Local Checks
  • Tenable LCE Client

Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect the organization. Tenable SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Active scanning examines running systems and services, detects vulnerable software applications, and analyzes configuration settings. Host data and data from other security products is analyzed to monitor events from systems across the network. Monitoring the network to ensure that all systems are secured against unauthorized changes is essential to ongoing security efforts. Tenable enables powerful, yet non-disruptive, continuous monitoring that will enable organizations with the information needed to proactively respond to risks within the enterprise.

The following chapters are included within this report:

  • Executive Summary: The Executive Summary chapter presents a summary of the top group membership changes across multiple platforms. Information will highlight changes across Windows, macOS, Linux, and Unix systems. Using the active scanning by Tenable Nessus though SMB enumeration, LDAP search queries, and using ADSI. Data is also obtained from normalized event logs from the Tenable Log Correlation Engine (LCE). Elements within this chapter include an overview of group membership changes per Class C network subnet, and summary of the top group membership change events.
  • Windows Group Membership: This chapter provides a group membership analysis of systems running Windows over the last seven days. Information presented within this chapter includes a summary of hosts within domain and local group membership changes that have been detected. Additional details on the detected group are available, such as IP address, group type, and users within a group. Group event changes are also noted within this chapter, which will highlight universal, global, and local groups changes within the enterprise.
  • Linux/Unix Group Membership: This chapter is a group membership analysis of systems running LDAP over the last seven days. Data inside this chapter will present an overview of LDAP group memberships on hosts throughout the enterprise. Information presented within this chapter includes a summary of hosts within domain and local group membership changes that have been detected. Additional details on the detected group are available, such as IP address, group type, and users within a group. Changes to groups, user accounts, and passwords are also presented within this chapter, which will highlight users added to groups, group password changes, and users removed from groups on Linux and Unix hosts.
  • macOS Group Membership: This chapter provides a list of systems that have modified Admin and Wheel groups on macOS hosts. The Admin and Wheel groups grant users root level access to the computer by using the 'su' or 'sudo' commands. The chapter begins with a summary table outlining the hosts identified with Nessus plugin ID 60019. The table is followed by an iteration of each host. For each host, there is a user summary table, followed by the detailed results for plugin ID 60019.