An account with a low privilege score is used from a host that has a low privilege score to access a service which has a substantially higher privilege score
Possible Root Causes
The host is under the control of an attacker and the account on the host is being used to connect to one or more higher privileged services
The account is under the control of an attacker and is being used from multiple hosts to connect to one or more higher privileged services
A new admin has been hired and as the account used by the admin is new and the machine assigned to the admin is new, both have low privilege scores; when the admin then begins to perform legitimate work, detections are triggered until the privilege scores of the admin’s account and host are raised based on observed activity
A new service is being rolled out and it was initially only used by higher privileged admin accounts (and thus considered to be a high privilege service) but then release for use by a broader set of lower privileged accounts
A rarely used service is generally accessed by higher privileged accounts, but is technically also available to lower privileged accounts is accessed by one such low privileged accounts
Business Impact
Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact
Steps to Verify
Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account since if the host is compromised, the account must be considered to be compromised as well
Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point
Privilege Anomaly: Unusual Service - Insider
Possible root causes
Malicious Detection
Benign Detection
Privilege Anomaly: Unusual Service - Insider
Example scenarios
Privilege Anomaly: Unusual Service - Insider
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.