Privilege Anomaly: Unusual Service from Host

View all detections
Privilege Anomaly: Unusual Service from Host


  • A privileged account is used to access a privileged service, and is doing so from a host which the account has been observed on but where the host has not been seen accessing the service

Possible Root Causes

  • The privileged account has been compromised and is being used to access a privileged service normal for the account, but from a host that the service is typically not accessed from; additionally, the host used for the access is itself a normal place for this account, but not a place from which this service is accessed by any account
  • A privileged employee has decided to use their backup/secondary machine (either due to their primary laptop crashing or because they are away from their desk) to perform what is otherwise normal work for the account

Business Impact

  • Lateral movement within a network involving privileged accounts, hosts, or services exposes an organization to substantial risk of data acquisition and exfiltration
  • Unexplained unusual patterns of use of privileged accounts, hosts, and services are involved in almost all major breaches
  • Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
  • The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

  1. Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this account since if it has been compromised, all hosts the account has been on must be considered to be compromised as well
  2. Verify that the host in question is a secondary machine owned by the account owner
  3. Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point