Privilege Anomaly: Unusual Service

View all detections
Privilege Anomaly: Unusual Service

Triggers

  • An account which is typically used from this host is accessing a service which the account has not been observed accessing from any host and at least two entities (account and service) have high privilege scores
  • The threat score is driven by the privilege scores of the three entities (account, host and service)
  • The certainty score is driven by the observed stability of the account, host and service clusters and the number of entities in each relationship (e.g. the number of services the account has been observed to access) and the extent of the abnormality of the service compared to the services typically used with the account and the host

Possible Root Causes

  • The host is under the control of an attacker and the account on the host is being used to connect to one or more services which are abnormal for the account and may or may not be abnormal for the host
  • An employee or contractor with approved access to the network has been assigned a new project or job which involve new privileged services which are quite abnormal given their prior role

Business Impact

  • Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
  • Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
  • Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
  • The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

  1. Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account since if the host is compromised, the account must be considered to be compromised as well
  2. Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
  3. Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point