Privileged Users
SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. More explanations here.
Initially, SCKIPT focused on the behavior of Standard Users, referring to accounts with no privileges or advanced roles. In 2025, it has been upgraded to include the monitoring of Privileged User behavior, ensuring that they do not abuse their assigned roles and that all their activities are effectively tracked.
UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference
SCKIPT User Behaviour Matrix (Privileged Users) | ||||
|---|---|---|---|---|
Source (UB) | Case Scenario (C) | Known Interactions (K) | Protection (P) | Threats (T) |
PUB1. Privileged Accounts | PUB1.C1 – BreakGlass Accounts | UB1.C1.K1 – P.User sign-in with BreakGlass accounts. | UB1.C1.K1.P1 –requires approval from two individuals, to log into BreakGlass Accounts. | UB1.C1.K1.T1 – P.Users log with BreakGlass accounts without justified reasons. |