Authentication Attempt From a Dormant Account

The
Authentication Attempt From a Dormant Account
alert triggers when a user account which has been dormant for a year or more is trying to authenticate to a service using a Kerberos ticket granting ticket (TGT).

Synopsis

Every 10 minutes
3 days
14 days
10 minutes
  • Traffic
  • Enhanced Application Logs
  • Directory Sync Services (DSS)
Severity
Low

Description

Activity on what was previously an inactive account is suspicious, as attackers often target unused accounts to increase their chances of remaining undetected.
A user account which has not logged on for a year or more is authenticating to a service via Kerberos TGT. This may mean that the account succeeded in Kerberos pre-authentication (and has a valid TGT), or (although less likely) that the TGT and/or the TGS were forged.

Attacker's Goals

Use a compromised user account which has not been used in a long while, and are therefore less likely to be noticed.

Investigative Actions

  • See whether the service authentication was successful.
  • Confirm the activity is benign, e.g. the user returned from a long leave of absence.
  • Check whether you have issues with your Directory Sync Services failing to sync data from Active Directory.

Recommended For You