The User Who Woke Up From a Coma

Test Guide


Imagine this: An old toy, forgotten and covered with dust, suddenly starts moving on its own after years of inactivity. Creepy, right? This eeriness is not limited to the world of fictional horror movies. In the digital realm, a similar unsettling scenario occurs when a user account, dormant for an extended period, suddenly springs back to life with a new login. At first glance, it might seem like an ordinary event, perhaps the account owner recalling an old service they once used. But in the landscape of cybersecurity, this could be a harbinger of a potential security breach or malicious activity.

Such sudden bursts of activity from long-inactive accounts can be more than just anomalies. They may indicate vulnerabilities in your systems, risks of data breaches, or even insider threats. Identifying, monitoring, and managing these “awakenings” is vital for any organization keen on safeguarding its digital assets and reputation.

In order to check if you will receive a notification of such activity in time, perform the following actions:

Run This Powershell Scrip:

					Import-Module ActiveDirectory
# Get all active users and include the LastLogonTimestamp property
$users = Get-ADUser -Filter 'Enabled -eq $true' -Property LastLogonTimestamp
# Process users, excluding those with null LastLogonTimestamp, and get the top 10 sorted by last login time
$users | Where-Object { $_.LastLogonTimestamp -ne $null } | ForEach-Object {
    $lastLogin = [datetime]::FromFileTime($_.LastLogonTimestamp)
    New-Object PSObject -Property @{
        "Username" = $_.SamAccountName
        "Last Login" = $lastLogin
} | Sort-Object "Last Login" | Select-Object -First 10 | Format-Table -AutoSize

As Administrator,

If you will find there users that need to be deleted, before you delete those users, you have the option to test Your SOC:

  1. Reset the password for one of those users
  2. Login with this User:

    • By Log out and Login with a new User
    • Open one of the applications with the option Run as Different User

This is something that should be triggered as suspicious.

Leaving a user account active in a system like Active Directory after the user has left an organization is a significant security risk. Here’s why:

  1. Unauthorized Access: If the credentials for the account fall into the wrong hands, unauthorized users could gain access to sensitive data or systems.
  2. Lack of Accountability: If the account is used for malicious purposes, tracking the responsible individual becomes challenging, as the account is still associated with the former employee.
  3. Compliance Risks: Various regulations require proper control and monitoring of access to sensitive data. Keeping old user accounts can lead to non-compliance, which might result in fines or other penalties.
  4. Increased Attack Surface: Every active account is a potential entry point for attackers. The more unnecessary accounts you have, the larger your attack surface, and the more effort that must be spent monitoring and maintaining those accounts.
  5. Data Leakage: If the account still has access to sensitive information, it could lead to data leaks if misused, either intentionally or accidentally.
  6. Complication in Auditing: Having unnecessary active accounts can lead to confusion and complications during auditing processes, making it more difficult to maintain a clear picture of who has access to what within the organization.
  7. Potential for Miscommunication: If automated emails or notifications are still being sent to the account, it can lead to a breakdown in communication within the organization or with clients if important messages are not being monitored or forwarded.

With the CyRay Monitoring Platform, your account’s activity, dormant or active, is always under our vigilant watch. Initiate monitoring at any time and benefit from real-time alerts, ensuring no suspicious move goes unnoticed. Stay secure with CyRay.

To receive  “Test your SOC” directly to your mail: Click Here.

Discovered Limitations in Your SIEM? Left Wanting More?

Schedule a call directly with our experts: Click Here.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration