Info
ID: AT-EC004.001
Technique: Service-to-Service Trust Abuse
Tactic: Expanding Control
Platforms: Linux, macOS, Windows, Azure, AWS, GCP
Data Sources: Account Monitoring, Authentication Logs, Cloud Audit Logs, Process Monitoring
Permissions Required: User, Service Account
Version: 1.0
Overprivileged Service Account Exploitation
Overprivileged Service Account Exploitation occurs during the Expanding Control phase when attackers leverage service accounts that possess excessive permissions beyond what is required for their intended function. Within the Service-to-Service Trust Abuse technique, this sub-technique focuses on identifying and exploiting service accounts that have been assigned unnecessarily broad privileges or access rights. Attackers who have compromised a system can enumerate service accounts, analyze their permission sets, and exploit those with elevated privileges to extend their access across the environment. These overprivileged accounts - often created for automation, application-to-application communication, or database access - frequently have persistent, long-lived credentials and minimal monitoring, making them ideal targets for lateral movement. The exploitation typically involves extracting credentials from configuration files, memory, or connection strings, then leveraging the account's excessive permissions to access sensitive systems, data stores, or cloud resources that would otherwise be inaccessible from the initially compromised position. This represents a critical security weakness where the principle of least privilege has not been properly implemented, allowing attackers to significantly escalate their foothold within an organization's infrastructure.
Data Sources
- Account Monitoring: Service account activity and authentication events
- Authentication Logs: Service account login and access attempts
- Cloud Audit Logs: Cloud service account activity and privilege usage
- Process Monitoring: Service account process execution and system access
Detection
Monitor for service account authentication anomalies, privilege usage patterns, and unusual access attempts. Detection strategies include:
- Service Account Privilege Analysis: Regularly audit service account permissions and identify overprivileged accounts
- Authentication Pattern Analysis: Monitor for unusual service account authentication patterns and access times
- Privilege Usage Monitoring: Track excessive privilege usage by service accounts beyond normal operations
- Cross-Service Access Detection: Monitor for service accounts accessing resources outside their intended scope
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Implement least privilege principles for service accounts and regular privilege reviews |
| M1018 | User Account Management | Implement proper service account lifecycle management and access controls |
| M1017 | User Training | Train administrators on proper service account configuration and privilege assignment |