SOC analysts get 4,484 (average) alerts daily and can’t deal with 2/3 of them.
Read the 2023 State of Threat Detection Report
Lateral movement

Privilege Anomaly

Privilege Anomaly

Signs of Privilege Escalation

External attackers and insider threats will take advantage of accounts which have been granted more permissions than necessary in order to move laterally in the network towards their end goals. Accounts with access permissions to high privilege services can occur frequently without the knowledge of IT admins allowing malicious actors access to valuable resources.

1. Unusual Account on Host

  • Compromised Privileged Account: A privileged account accessing services from an unobserved host can indicate compromise.
  • Account Borrowing: Privileged employees using another user's machine for routine tasks may raise suspicion.

2. Unusual Host

  • Unexpected Access: An account accessing a service from an atypical host with varying privilege scores may signal an attack.
  • New Host Assignment: An employee with consistent work patterns suddenly using a different host can be a red flag.

3. Unusual Service

  • Out-of-Pattern Service Access: Accounts accessing abnormal services from specific hosts may indicate compromise.
  • Role Changes: Employees with new projects involving unusual privileged services might pose a risk.

Investigating Signs of Privilege Escalation

To delve deeper into these signs, follow these investigative steps:

  1. Server Log Analysis: Scrutinize Kerberos or Active Directory server logs for detailed insights into account activity.
  2. Verification: Inquire about the legitimacy of account usage on specific hosts with the host's owner.
  3. Shared Resource Check: Ensure that authentication attempts are not from shared resources, potentially indicating a pivot point for attackers.

Business Impact of Privilege Escalation

Privilege escalation attacks can have severe consequences for businesses:

  • Lateral Movement Risks: Unauthorized access to privileged accounts, hosts, or services poses a significant risk of data acquisition and exfiltration.
  • Breaches and Unusual Patterns: Unexplained usage patterns of privileged entities often precede major breaches, including those orchestrated by rogue insiders.
  • Insight into Business Impact: Analyzing the accounts, hosts, and services involved provides valuable perspectives on potential business impact.

How can organizations verify privilege anomalies?

  • Examine server logs for detailed host and account activity, focusing on privilege mismatches.
  • Inquire whether the host owner should use the specified account to access listed services.
  • Verify that the authentication attempt host is not a shared resource, as it could be exploited as a pivot point.

An account, host, and service engaging in abnormal behavior warrant attention. Whether it's an attacker controlling entities or an insider using abnormal combinations, the potential risks demand thorough investigation.

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections
Download
Vectra AI detections