What is Prolific User ?

Prolific users are standard user accounts, as defined by all AD parameters, that have access privileges to an exceedingly high number of machines.

Prolific users are not subject to the same monitoring and protection measures placed over admin users. Technically, they are not even admins, since they are not included in any administrative user group. This makes them a highly lucrative target for compromise, as they yield a similar result as the compromise of an admin account and are less likely to be protected.

Once compromised, attackers gain a direct route into the same resources as these prolific user accounts, facilitating a rapid and efficient lateral movement process.

There is no straightforward way to know in advance if a user account is prolific or not. However, given their relatively large number, attackers stand a good chance of finding one simply by trying to use a standard compromised account to move laterally.