Windows anomalous user name

Goal

Detects users that are rarely or unusually active compared to other users, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Searches for activity from users who are not normally active, which can indicate unauthorised changes, activity by unauthorised users, lateral movement, and compromised credentials.

In organisations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine.

Events from rarely used usernames can point to suspicious activity.

Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorised or unauthorised changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.

Characteristics