New Interactive Logon from a Service Account

Description

In most environments, service accounts should not log on interactively. This search finds new user/host combinations for accounts starting with "svc_."


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

Service accounts are more than likely privileged accounts in organizations. However, they should almost never log on interactively (e.g., via Remote Desktop, or by physically sitting at a keyboard and monitor). Because of their privilege and the fact that their usernames often describe their level of access (e.g., svcexchangeadmin), they're a big target for account compromise. Mature organizations should monitor for this activity, and investigate any new logon activity.

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Privilege Escalation
Persistence
Lateral Movement
Defense Evasion

MITRE ATT&CK Techniques

Valid Accounts
Remote Services

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
GCMAN
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Command and Control

Data Sources

Windows Security
Authentication

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • For this search it is also key to verify that the username format of service accounts (or a lookup, if appropriate) is accurate so that you are just looking at service accounts.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

In most environments, you should be able to directly respond to this event because service accounts should not suddenly start logging on interactively.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the event, as well as the user account and system, credentials that were used, process executed and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted.

   Help

New Interactive Logon from a Service Account Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of interactive logon events, and then we apply a filter for when the account name starts with svc_ -- obviously you could adjust this, or leverage a lookup as applicable in your environment. We check the first time that each user has logged interactively onto each server. Notably, this search is probably one of the most difficult in the environment from a performance perspective. Searching for Logon Types requires pulling back almost all of the data off of disk -- it would be highly recommended to leverage a lookup to cache your baseline (on the roadmap for a future version of this app). That said, for most organizations you could likely dispense with the baseline and just whitelist known good service account / host combinations as well.

SPL for New Interactive Logon from a Service Account

Demo Data

This line will load a sample CSV. The macro is a wrapper for |inputlookup to make this search look prettier here.
Now we filter for where the user account starts with svc_, which is a common way to notate service accounts.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we pull in our dataset of Windows Authentication specifying Interactive logon types, and filter for where the user account starts with svc_, which is a common way to notate service accounts.
Then we use table to include just the fields we're apt to care about. (Technically we need to use | table for this app because we show you the intermediate results, but in production you should drop this line because it will reduce search performance.)
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.