What is a Service Account?
In this blog post, I won’t go too much into the details of service accounts but will class a service account as a user, Managed Service Account or a Group Managed Service Account which is used to run a process whether it be a Service, Task, IIS App Pools or used inside of an application.
The Problem?
A lot of organisations will have hundreds and maybe even thousands of service accounts that may be in use across their Active Directory environment. It can be very easy for some service accounts to be created by mistake or just left there unused due to the system being decommissioned or any other potential reason (there are lots). The problem with these accounts is that they can present a large and potentially easy attack surface for attackers because they are typically not monitored unless they impact applications etc so lockouts or use on systems could easily go unnoticed.
To fix the ongoing problem a robust service account request and decommission process should be established but a clean up of unused service accounts is still required to get to a clean state. In this series, I will cover the main areas and things to look for when doing a service account clean up as well as how to find where they are used and what they are used for. This is a process I have performed and enjoyed doing even though it is tedious when you have many service accounts!
Clean-up Process Overview
As this is a series it will have various posts for the different parts of the series but below I will outline what the posts will be.
- Collation of Service Account Knowledge from the business and Active Directory
- Detecting Generic Windows Service Account Locations using PowerShell
- Using Active Directory Authentication Data to detect usage of accounts
- Detecting Usernames and Passwords in Configuration Files
- Correlate Service Account Information and get started for deletion
Collation of Service Account Knowledge from the Business and Active Directory
In a lot of companies, there will be some level of business knowledge held about service accounts like naming conventions, etc. If this is available then you can use this to help track down some service accounts in Active Directory. Below are some of the common ways companies will identify service accounts:
- All User Accounts in certain Service Account OU’s
- Usernames (SamAccountName or Name) starting in a specific prefix. E.g. svc
- Descriptions, or other fields, with specific formatting
- Tracking Documents or Systems (Excel / CMDB etc)
Whilst this information is very helpful in finding old and application-based service accounts it is not 100% required. If this information isn’t available, then look at the last query under the helpful queries section for the “Service Accounts not logged in for 30 days query” and use that as your base information for old accounts that are not being used.
Helpful Queries
Below are some helpful snippets that can be used in PowerShell to perform queries against AD using the information you have gathered. All snippets will be commented so it should be easy to figure out what you need to add in the variables. They are all exportable to CSV for use with excel (or other applications) to easily look at the data that they have collected.
All Users in a Single OU
# All Users in a single OU (Including Sub OUs)
$Org_Unit = "" #Distinguished Name of OU
$CSV_File_Path = "" #Path to CSV File for Output
$Service_Accounts = Get-ADUser -Filter "*" -SearchBase $Org_Unit -Properties * # Modify Properties if you only want to return certain properties
$Service_Accounts | Export-Csv -Path $CSV_File_Path All Users in Multiple OUs Imported From a CSV File
This will use the input of a CSV File where A1 should be DistinguishedName and then A2 and below should be the actual DistinguishedNames of the OU’s. e.g. OU=Service Accounts,DC=corp,DC=com
# All Users in multiple OUs from Excel list
$CSV_OUs_To_search = "" # CSV File with a header of DistinguishedName and then the DistinguishedNames of the OUs to search below
$CSV_File_Path = "" #Path to CSV File for Output
$OUs_To_Search = Import-Csv -Path $CSV_OUs_To_search
foreach ($OU in $OUs_To_Search)
{
$Org_Unit = $OU.DistinguishedName # The Property will be the top row of the CSV File
[System.Array] $Service_Accounts += Get-ADUser -Filter "*" -SearchBase $Org_Unit -Properties * # Modify Properties if you only want to return certain properties
}
$Service_Accounts | Export-Csv -Path $CSV_File_PathAll Accounts Whose SAMAccountName Start With a Specific Prefix
This query can be used to detect accounts that start with specific prefixes like SRV and SVC to name some common ones.
# All Service Account Names start with a specific Prefix
$Prefix = "" # Input the Prefix that has been used for service accounts
$CSV_File_Path = "" #Path to CSV File for Output
$Service_Accounts = Get-ADUser -Filter { SAMAccountName -like "$Prefix*" } -Properties *
$Service_Accounts | Export-Csv -Path $CSV_File_PathAll Accounts Which have a Specific Description
This can be used to find accounts that have specific Descriptions. Sometimes companies will have “Service Account” or “Service Accounts for <Application>” in which case wildcard searches can be used to help get the information needed.
# All Service Accounts have a specific Description
$Description = "" # Input the Description that has been used for service accounts
$CSV_File_Path = "" #Path to CSV File for Output
$Service_Accounts = Get-ADUser -Filter { Description -like $Description } -Properties *
$Service_Accounts | Export-Csv -Path $CSV_File_PathUsing a CSV File With Multiple SAMAccountNames to Retrieve User Accounts in Active Directory
If tracking documents are already in place then use these to collate the SAMAccountNames into a CSV File where A1 is SAMAccountName and then A2 and so on are the actual SAMAccountNames for the service accounts.
# All Service Account Names are known from CMDB/Excel doc etc. Collate SAMAccountNames into CSV with header row of samaccountname
$CSV_SAMAccountNames = "" # Path to a CSV with multiple samaccountnames
$CSV_File_Path = "" #Path to CSV File for Output
$SAMAccountNames = Import-Csv -Path $CSV_SAMAccountNames
foreach ($Account in $SAMAccountNames)
{
$SAMAccountName = $Account.SAMAccountName # Getting the SAMAccountName into its own attribute
[System.Array] $Service_Accounts += Get-ADUser -Filter { SAMAccountName -eq $SAMAccountName} -Properties *
}
$Service_Accounts | Export-Csv -Path $CSV_File_PathAccounts Not Logged in for 90 Days
If you want to do a different number of days then 90 then you’ll need to just change the $Days variable.
# Accounts not logged in for 90 Days
$Days = 90 #Number of days for an account to not log in
$CSV_File_Path = "" #Path to CSV File for Output
$PS_Days = (Get-Date).AddDays(-$days)
$service_Accounts = Get-ADUser -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $PS_Days)} -properties *
$Service_Accounts | Export-Csv -Path $CSV_File_PathManaged Service Accounts and Group Managed Service Accounts
Managed Service Accounts first came around in 2008R2 and help administrators simplify password management by having Active Directory and Windows manage the password for you. As these accounts can only be used as Service accounts the query is simply done.
# Get All Managed and Group Managed Service Accounts
$CSV_File_Path = "" #Path to CSV File for Output
$Service_Accounts = Get-ADServiceAccount -Filter "*" -Properties *
$Service_Accounts | Export-CSV $CSV_File_PathConclusion
In this post, I have talked about the overview of the Service Account Process and why it is important to ensure only known service accounts exist as well as showing some helpful Active Directory queries which can be used to help identify service accounts to start the process.
In my next blog post I will walk you through how to use PowerShell, and the corresponding GUI steps, to identify common areas on Windows Machines which you would usually find Service Accounts configured.
Joe is a Security Researcher at Stealthbits – Now part of Netwrix. An expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, Joe researches new security risks, complex attack techniques, and associated mitigations and detections.
Related Posts
- Active Directory Permissions – Hiding in the Shadows
- What Active Directory Groups Am I In?
- Back to “The Basics” Blog Series – Part 2: Active Directory
- What Is Kerberos?
- Ready for Microsoft’s LDAP Changes? What You Need to Know
- Microsoft LDAP Channel Binding and Signing Patch
- What is Azure Active Directory?
- Fun with Active Directory’s AdminCount Attribute
- Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5
- What are FSMO Roles in Active Directory?
This is important information, especially preparing for domain consolidation, migration or M&A activity. One item worth noting is when looking for accounts with logins older than x number of days… unlike computer lastlogondate, user lastlogondate is not replicated. You need to run this on each DC and merge taking the most recent from across all of them.