Privilege Anomaly: Unusual Account on Host

View all detections
Privilege Anomaly: Unusual Account on Host

Triggers

  • A privileged account is used to access a privileged service, but is doing so from a host which the account has not been observed on but where the host (using other accounts) has been seen accessing the service
  • The threat score is driven by the privilege scores of the three entities (account, host, and service)
  • The certainty score is driven by the observed stability of the account, host, and service clusters and the extent of the abnormality of the access and is inversely affected by the number of hosts on which the account is used

Possible Root Causes

  • The privileged account has been compromised and is being used to access a privileged service normal for the account, but from a host that the account is typically not used from; additionally, the host used for the access is itself a normal place from which to connect to the privileged server, just not with this account
  • A privileged employee has borrowed another privileged user’s machine (either due to their primary laptop crashing or because they are away from their desk) to perform what is otherwise normal work for the account

Business Impact

  • Lateral movement within a network involving privileged accounts, hosts, or services exposes an organization to substantial risk of data acquisition and exfiltration
  • Unexplained unusual patterns of use of privileged accounts, hosts, and services are involved in almost all major breaches
  • Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
  • The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this account since, if it has been compromised, all hosts the account has been on must be considered to be compromised as well
  • Carefully inquire into whether the owner of the host in question would expect the account listed in the detection to be used on this host • Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point