Service to Service Trust Abuse
Info
ID: AT-EC004
Tactic: Expanding Control
Sub-techniques: Overprivileged Service Account Exploitation, Token Replay or Reuse Attacks
Platforms: Linux, macOS, Windows, IaaS
Permissions Required: User, Service Account
Version: 1.0
Service-to-Service Trust Abuse
Adversaries may capitalize on implicit trust relationships between different microservices or application components. For instance, they could replay or forge authentication tokens that one service uses to communicate with another, thereby bypassing conventional login flows. Exploiting these trust relationships allows movement between services that assume each other's identity automatically.
Modern architectures frequently rely on short-lived tokens, mTLS, or identity proxies to manage service-to-service access. If any of these controls are misconfigured - or if an attacker finds a way to steal or replay valid tokens - the entire mesh of interconnected services becomes vulnerable. Abuse of trust paths is often stealthy, since each request looks legitimate from a networking perspective.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Identify JWT/OAuth tokens used from multiple pods or IPs within TTL — a sign of token replay across microservices. |
| DS0029 | Network Traffic Flow | Detect east-west traffic spikes or new service-to-service pairs not present in baseline service-mesh topology. |
| DS0002 | User Account Authentication | Alert when a service account authenticates to another service outside its namespace or after privilege elevation. |
| DS0031 | Service Mesh Logs | Leverage mTLS handshake logs to surface certificate/key mismatches or sudden CN changes. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Enforce fine-grained, short-lived tokens and rotate service credentials every few minutes. |
| M1018 | User Account Management | Disable default Kubernetes service-account token mounting, require explicit opt-in. |
| M1030 | Network Segmentation | Apply zero-trust service mesh policies that require explicit ACLs for every caller-callee pair. |