Suspicious Admin

Suspicious Admin

Signs of a Suspicious Admin

  • The host is using protocols correlated with administrative activity (RDP, SSH, IPMI, iDRAC, etc.) in ways which are considered suspicious
  • The threat score is driven by the number of other administrative connections made by this host
  • The certainty score is driven by the number of other recognized administrators of the target systems using the same administrative protocol

Why Attackers Use Admin Access

  • The host has begun using an administrative protocol to connect to a system for which one or more other hosts have already been observed to be regular administrators using the same protocol
  • Administrative connections via a particular administrative protocol to a system which has no known regular administrators using that protocol will not result in a detection
  • Administrative connections to a system which has a known regular administrator host using the chosen protocol will also not result in a detection if there is significant overlap in administrative connections to other systems between this host and the other known administrator host
  • If such an administrative connection recurs over a period of several days, it is considered normal and no longer will trigger a detection
  • The detection may be benign when it involves a host assigned to a new employee authorized to administrate the target systems or when the role of the employee has undergone a significant change

Business Impact of a Suspicious Admin

  • Administrative protocols are a primary tool for attackers to move laterally inside a network in which they have already established a toehold
  • Given that administrative connections are typically used in conjunction with administrative credentials, the attacker may have almost unconstrained access to systems and data that are the organization’s key assets
  • Unexpected and unexplained administrative connections represent a huge potential risk in the lifecycle of a major breach

How to Investigate Suspicious Admins

  1. Verify whether the host belongs to an employee whose job function requires administrative access to other systems
  2. Verify whether the employee who has been assigned the host should be using the particular administrative protocol to administer the identified system
  3. Inquire whether the owner of the host actually initiated the administrative connection in order to determine whether the host has been compromised
  4. Check the logs on the administered target for the creation of new accounts, the launch of abnormal processes and the modification of registry key
  5. If employee associated with this host was not the originator of the admin session, reset all domain and local admin credentials belonging to the employee across the local machine and the network
  6. If the credentials of the employee whose machine was compromised had domain administrative privileges, the secret key of the domain controller may have been compromised and may need to be reset – search for “krbtgt account password change” to find instructions on how to do this
  7. Verify that the host from which the administrative connection was originated is a jump system as this may mean that the originator of the administrative connection is an upstream host which connected to the jump system

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections