Privilege Anomaly: Unusual Service - Insider

View all detections
Privilege Anomaly: Unusual Service - Insider


  • An account with a low privilege score is used from a host that has a low privilege score to access a service which has a substantially higher privilege score

Possible Root Causes

  • The host is under the control of an attacker and the account on the host is being used to connect to one or more higher privileged services
  • The account is under the control of an attacker and is being used from multiple hosts to connect to one or more higher privileged services
  • A new admin has been hired and as the account used by the admin is new and the machine assigned to the admin is new, both have low privilege scores; when the admin then begins to perform legitimate work, detections are triggered until the privilege scores of the admin’s account and host are raised based on observed activity
  • A new service is being rolled out and it was initially only used by higher privileged admin accounts (and thus considered to be a high privilege service) but then release for use by a broader set of lower privileged accounts
  • A rarely used service is generally accessed by higher privileged accounts, but is technically also available to lower privileged accounts is accessed by one such low privileged accounts

Business Impact

  • Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
  • Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
  • Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
  • The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account since if the host is compromised, the account must be considered to be compromised as well
  • Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
  • Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point