Shared and Linked Accounts

Shared Accounts

A shared account is an account that more than one user accesses. Instead of a one-to-one ratio, there is a many-to-one ratio. This is typically the result of users sharing passwords with one another.

Tracking and eliminating shared accounts is a common requirement for compliance regulations, because it ensures employee accountability for their user account’s actions.

Shared accounts are considered a yellow flag, so Rapid7 recommends reviewing these accounts as soon as possible.

To see a list of shared accounts, go to Users & Accounts on the lefthand menu. Click on the Shared Accounts metric. You will see the target accounts, the source accounts count, and when a login was last seen.

This view displays information such as authentication activity, accounts, authentications to other accounts, and authentication from other users.

Impersonation

Microsoft describes impersonation as when any user logs into their local system or a remote system with a different account other than their current account, which the asset will record.

All impersonations are reported back to InsightIDR by the Insight Agent Scan, where they are presented as Linked Accounts or Shared Accounts.

You can review accounts that log in to target accounts, or target accounts themselves, on the Shared Accounts page or in an individual User Details page.

Linked Accounts

Linked accounts are similar to shared accounts, in that account A logs in as linked account B, and possibly vice-versa, but no other users access either account A or account B.

A typical example of a linked account is when an administrator logs into their domain admin account in order to perform some administrative activity. As long as no other users use that domain admin credential, the low-privilege user and the admin user are presented as a pair on the Linked Accounts page.

This list will grow with more authentication events where InsightIDR notices the source account does not match the destination account.

Clicking on a source account displays user info, activity, accounts, assets, cloud services, mobile devices, and Intrusion Detection System (IDS) alerts.

Clicking on a target account displays user info, accounts, and applications.

When Does Linked Become a Shared Account?

An account moves from linked to shared when InsightIDR witnesses more than one user authenticating with the target account’s credentials.

These accounts may be an example of users sharing their credentials, or even an attacker using a compromised account as a jumping point to other accounts to move laterally across the network.

The Linked Accounts page displays a list of linked accounts and related information, including source accounts, target accounts, and the date the account was last seen.