Hi All,

When the Password Safe Detailed Discovery Scan runs against a Windows server, the BTExecService agent deployed on the scanned server enumerates the members of all local admin groups, so these can eventually be onboarded and managed by Password Safe. We have observed that Group Memberships for each enumerated account are also checked. This enumeration process is causing the LastLogonTimeStamp for the enumerated accounts to be updated, generating logon events attributed to the Discovery Scan agent BTExecExt.Phoenix.exe, even though no actual logon operation took place.

In fact, according to the Microsoft article below, the LastLogonTimeStamp attribute can be updated and trigger a logon event even if the user has not logged on. This behaviour is an artifact of a Kerberos operation known as Service-for-User-to-Self (S4u2Self), in which a client/service can request a ticket for a user that is only useful for things like determining Access Checks or Group Membership.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/ba-p/257135

As the accounts enumerated by the scanners include highly privileged Break-Glass accounts, those scans are causing P1 incidents in our organisation, as BG accounts are closely monitored for unauthorised use.

Regards,

Dheeraj.