Triggers
- A privileged account is used to access a privileged service, but is doing so from a host which the account has not been observed on but where the host (using other accounts) has been seen accessing the service
Possible Root Causes
- The privileged account has been compromised and is being used to access a privileged service normal for the account, but from a host that the account is typically not used from; additionally, the host used for the access is itself a normal place from which to connect to the privileged server, just not with this account
- A privileged employee has borrowed another privileged user’s machine (either due to their primary laptop crashing or because they are away from their desk) to perform what is otherwise normal work for the account
Business Impact
- Lateral movement within a network involving privileged accounts, hosts, or services exposes an organization to substantial risk of data acquisition and exfiltration
- Unexplained unusual patterns of use of privileged accounts, hosts, and services are involved in almost all major breaches
- Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
- The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this account since, if it has been compromised, all hosts the account has been on must be considered to be compromised as well
- Carefully inquire into whether the owner of the host in question would expect the account listed in the detection to be used on this host • Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point