Triggers
- A privileged account is used to access a privileged service, and is doing so from a host which the account has been observed on but where the host has not been seen accessing the service
Possible Root Causes
- The privileged account has been compromised and is being used to access a privileged service normal for the account, but from a host that the service is typically not accessed from; additionally, the host used for the access is itself a normal place for this account, but not a place from which this service is accessed by any account
- A privileged employee has decided to use their backup/secondary machine (either due to their primary laptop crashing or because they are away from their desk) to perform what is otherwise normal work for the account
Business Impact
- Lateral movement within a network involving privileged accounts, hosts, or services exposes an organization to substantial risk of data acquisition and exfiltration
- Unexplained unusual patterns of use of privileged accounts, hosts, and services are involved in almost all major breaches
- Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
- The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this account since if it has been compromised, all hosts the account has been on must be considered to be compromised as well
- Verify that the host in question is a secondary machine owned by the account owner
- Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point