Detections
Analytics
Dormant Accounts
medium
Language:
Description
Activated accounts that remain unused for an extended period (such as one year or more) can grant access to individuals who already left the company. This can further complicate the management of user accounts.
Solution
Inconsistent account management policies can result in keeping user accounts that are no longer in use, whether due to an employee departures or deprecation of an old application or system.
These inactive accounts can pose a security risk by providing unauthorized access to company assets in the event of a password compromise. Moreover, as these accounts do not update their authentication secrets, they are more vulnerable to attacks.
To manage directory access effectively, it is best to deactivate all unused directory accounts.
See Also
Monitoring Active Directory for Signs of Compromise
The LastLogonTimeStamp Attribute - What it was designed for and how it works
Indicator Details
Name: Dormant Accounts
Codename: C-SLEEPING-ACCOUNTS
Severity: Medium
- Tactic: TA0001 - Initial Access
- Techniques: T1078 - Valid Accounts
- Tactic: TA0003 - Persistence
- Techniques: T1078 - Valid Accounts
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts