Each user on a network may be assigned a user account that provides the user with access to a computing device and/or various network applications and services. A user's account may allow a network to authenticate a user and may enable the user to access the network's applications and services. Typically, each user may be authenticated by logging into a user account using passwords or other credentials; once authenticated, each user may be authorized to access different applications, services, or other resources on the network.
An information technology (IT) administrator (e.g., a network administrator) using an IT administration account (e.g., a network administrator account) may have greater access to network applications, services, machines, or other resources than a typical user. As accounts with high-level privileges, IT administration accounts may be high-value targets for attackers to gain access to highly sensitive or confidential information, such as financial information, defense-related information, and/or intellectual property (e.g., source code), and/or to simply disrupt an entity's operations. Accordingly, the instant disclosure identifies and addresses a need for detecting compromised IT administration accounts.