Privilege Anomaly: Unusual Trio

Triggers

• An account is used from a host to request access to a service where none of the pairings (account-host, account-service and host-service) are consistent with prior observed behavior and at least the service is considered privileged

Possible Root Causes

• The account or host (or both) are under the control of an attacker and are being used to in a manner which is abnormal for all three entities (account, host and service) involved
• An employee or contractor with approved access to the network is attacking the organization by using their account on an unusual host or someone else’s account on their host to access a service which neither the account nor the host usually connects to

Business Impact

• Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
• Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
• Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
• The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

1. Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account and requests made for the service
2. Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
3. Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point