Triggers
- An account is used from a host to request access to a service where none of the pairings (account-host, account-service and host-service) are consistent with prior observed behavior and at least the service is considered privileged
Possible Root Causes
- The account or host (or both) are under the control of an attacker and are being used to in a manner which is abnormal for all three entities (account, host and service) involved
- An employee or contractor with approved access to the network is attacking the organization by using their account on an unusual host or someone else’s account on their host to access a service which neither the account nor the host usually connects to
Business Impact
- Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
- Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
- Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
- The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account and requests made for the service
- Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
- Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point