During an investigation, we often find unused admin accounts. Historical admins that have a weak password, originally used for a specific purpose many moons ago, still lurking, waiting to be abused by threat actors. Chances are, those admin accounts aren’t monitored by anyone and when one starts to get used, no one is aware.
We commonly hear; “oh that’s for an old supplier or a general use admin account, but we haven’t used it in years”.
Unfortunately for the victim, that old admin had been used to maintain persistence and ultimately deploy ransomware across their network.
It is important to regularly conduct reviews of your Admin accounts and delete the accounts no longer required. Additionally, if a new service or supplier requires admin privileges to your network, you should have a process to question why, and formally approve or reject the request. If granted, ensure that the least privileges possible are permitted and monitor the accounts.