Triggers
- An account with a low privilege score is used from a host that has a low privilege score to access a service which has a substantially higher privilege score
Possible Root Causes
- The host is under the control of an attacker and the account on the host is being used to connect to one or more higher privileged services
- The account is under the control of an attacker and is being used from multiple hosts to connect to one or more higher privileged services
- A new admin has been hired and as the account used by the admin is new and the machine assigned to the admin is new, both have low privilege scores; when the admin then begins to perform legitimate work, detections are triggered until the privilege scores of the admin’s account and host are raised based on observed activity
- A new service is being rolled out and it was initially only used by higher privileged admin accounts (and thus considered to be a high privilege service) but then release for use by a broader set of lower privileged accounts
- A rarely used service is generally accessed by higher privileged accounts, but is technically also available to lower privileged accounts is accessed by one such low privileged accounts
Business Impact
- Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
- Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
- Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
- The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account since if the host is compromised, the account must be considered to be compromised as well
- Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
- Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point