Insider Threat Hunt Series, Part Five: The SysAdmin turned Hacker

This blog is part five of the Insider Threat Hunt: The Series, a collection of blogs where we demonstrate how to analyze large synthetic data sets for insider threat patterns. In part one of the series, we identified a user who attempted to access company systems after leaving the organization. The second part of the series focused on identifying a user who had uploaded company data to an external site before resigning. The third part of the series identified an employee who saved considerable amounts of data to a USB device while soliciting employment from a competitor. Part four identified an employee snooping around a colleague's machine.

This blog will identify a system administrator who used a keylogger to hijack a supervisor's company email account to send a mass email before terminating employment. The scenario and analysis presented here are based on a dataset from Carnegie Mellon University's Insider Threat Dataset (available for public download at KiltHub), using fictitious data, including email addresses, company names, and individuals' names.

If you would like to follow along, create a free Gigasheet account, download a copy of the dataset, and get hunting.

The Scenario

The scenario presented in this blog involves a resentful System Administrator who planted a keylogger on their supervisor's computer using a USB thumb drive, logged into the supervisor's machine using credentials captured by the keylogger, and sent a mass email from the hijacked email account.

The Dataset

The dataset used in this analysis is approximately 22 GB compressed, containing eight (8) data sources. However, for this demonstration, we only use the following five (5):

• devices.csv: records device activity, including power on and off and removable media events
• file.csv: contains details of file transfers to and from removable media
• email.csv: includes details of email communications, including sender, recipient, attachments, and email content
• logon.csv: records user logon and logoff activity
• YYYY-MM.csv: holds employee records, including on and offboarding events

Narrowing Down the Alleged Attacker

The scenario states that a System Administrator installed a keylogger on their supervisor's computer using a USB thumb drive. Hence, our analysis begins with file.csv, a 1.24 GB file containing over 2 million rows of details about file transfers to and from removable media.

We start by searching for the keyword "keylog" using Gigasheet's built-in search function, returning two instances of "R:\keylogger.exe" within the FILENAME column.

We then right-click "R:\keylogger.exe" and select "Filter to this" to filter out irrelevant data.

While the first log suggests that on 2010-08-12 at 16:11:39, user PLJ1771 copied a file named keylogger.exe to removable media on a computer named PC-7272, the second log implies that on 2010-08-12 at 20:29:44, the same user copied the same file (or a file with the same name) from removable media connected to a computer named PC-3999.

Who is PLJ1771?

We can now analyze the LDAP CSV files to reveal PLJ1771's identity. Each LDAP file is named YYYY-MM.csv, where YYYY indicates the year and MM the month the file was generated. In the first blog of the Insider Threat Hunt: The Series, we noted that each LDAP file contains a list of active users at the end of the particular month. We also mention that the LDAP file for a specific month runs at the end of that month; therefore, users who end employment in the middle of a month will be included in the previous month's LDAP file but not in the LDAP file for the month the employment ended. For example, users departing in June will appear in May's LDAP file but not in June's.

To avoid searching for the alleged culprit on each LDAP CSV file, we can select the eighteen (18) LDAP files and use the combine function to merge them into a single file named ldap.csv.

Using the search function, we can quickly identify PLJ1771 as Pearl Leslie Johnston, an ITAdmin, member of the Electronic Security team in the Security department, reporting to Hedda Indira Savage.

We then analyze the logon.csv file to confirm that PLJ1771 logged into the supervisor's computer, PC-3999, after installing the keylogger on 2010-08-12. We apply a filter to the PC, ACTIVITY, and DATE columns to identify logon activity on PC-3999 on or after 2010-08-12.

We can now confirm that PLJ1771 logged on to PC-3999 on 2010-08-12 at 20:17:48, a few minutes before installing the keylogger, and then again on 2010-08-13 at 19:02:35 to (presumably) send the email.

What did the Email Say?

To find the email, we first need to identify the supervisor’s user ID. We can apply a filter to the EMPLOYEE_NAME column in the ldap.csv file as shown below, which reveals the supervisor’s user ID.

The System Administrator had to have sent the email after the second logon event to PC-3999 on 2010-08-13 at 19:02:35. We can confirm this by analyzing the email.csv file and applying the following filter:

We can see that an email was sent using the supervisor's user ID, HIS1706, on 2010-08-13 at 19:27:09, from the supervisor's machine, PC-3999, to several email addresses.