User and Entity Behavior Analytics ("UEBA")

• User and Entity Behavior Analytics ("UEBA")

User Behavior Analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns - anomalies that indicate potential threats
User and Entity Behavior Analytics ("UEBA"). This expanded definition includes devices, applications, servers, data, or anything with an IP address.
https://en.wikipedia.org/wiki/User_behavior_analytics

• user behavior analytics (UBA)

User behavior analytics (UBA) is the tracking, collecting and assessing of user data and activities using monitoring systems.
user behavior analytics tools have more advanced profiling and exception monitoring capabilities than SIEM systems and are used for two main functions. First, UBA tools determine a baseline of normal activities specific to the organization and its individual users. Second, they identify deviations from normal. UBA uses big data and machine learning algorithms to assess these deviations in near-real time.
http://searchsecurity.techtarget.com/definition/user-behavior-analytics-UBA

• User Behavior Analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns - anomalies that indicate potential threats

https://en.wikipedia.org/wiki/User_behavior_analytics

• Defending Against Pass-The-Ticket Attacks

How Pass-the-Ticket Attacks Are Launched
Pass-the-Ticket attacks are typically launched in one of two ways:
The hacker steals a Ticket Granting Ticket or Service Ticket from a Windows machine and uses the stolen ticket to impersonate a user, or
The hacker steals a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the users’ behalf.
http://www.identityweek.com/defending-against-pass-the-ticket-attacks/

• Windows Credentials Editor (WCE) – List, Add & Change Logon Sessions

Perform Pass-the-Hash on Windows
‘Steal’ NTLM credentials from memory (with and without code injection)
‘Steal’ Kerberos Tickets from Windows machines
Use the ‘stolen’ kerberos Tickets on other Windows or Unix machines to gain access to systems and services
Dump cleartext passwords stored by Windows authentication packages
http://www.darknet.org.uk/2015/02/windows-credentials-editor-wce-list-add-change-logon-sessions

• Windows Credentials Editor

Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).
This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon.
WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.
http://www.ampliasecurity.com/research/windows-credentials-editor/

• Using WCE (Windows Credential Editor)

C:\Users\Ale\Desktop>wce -l

WCE v1.4beta (X64) (Windows Credentials Editor) – (c) 2010-2013 Amplia Security

– by Hernan Ochoa (hernan@ampliasecurity.com)

Ale:WIN71_64:960407EE2F0ED879AAD3B435B51404EE:95947E88DC144165EEC12CC2039E56B6



C:\Users\Ale\Desktop>wce -w

WCE v1.4beta (X64) (Windows Credentials Editor) – (c) 2010-2013 Amplia Security

– by Hernan Ochoa (hernan@ampliasecurity.com)

Ale\WIN71_64:ceh123!
https://alexandreborges.org/2014/02/14/using-wce-windows-credential-editor

• Pass the hash

In cryptanalysis and computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
https://en.wikipedia.org/wiki/Pass_the_hash

• UEBA is new class of security technology that is designed to identify next-generation security threats that have penetrated traditional firewalls and other perimeter systems. 

"User and Entity Behavior Analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods and advanced analytics…
Examples of these activities include unusual access to systems and data by trusted insiders or third parties, and breaches by external attackers evading preventative security controls.
The Niara behavioral analytics solution seamlessly integrates with the ClearPass network security platform to create the industry's most complete visibility and attack detection system.
The Niara behavioral analytics solution seamlessly integrates with the ClearPass network security platform to create the industry's most complete visibility and attack detection system.
The Niara behavioral analytics solution seamlessly integrates with the ClearPass network security platform to create the industry's most complete visibility and attack detection system.   
http://www.marketwired.com/press-release/hpe-acquires-niara-to-enhance-security-at-the-intelligent-edge-nyse-hpe-2192822.htm