Introduction: Service Account Attacks
Whether you realize it or not, service accounts represent a major risk to your data security. I’ve had many customers inquire about how to protect service accounts within their Active Directory environments. Through these conversations, I’ve learned that organizations want to understand the fundamentals of service accounts, and how attackers can exploit these accounts, so they can prevent them from being compromised.
What is a Service Account?
A service account is a “non-human” account that is used to run services or applications. Service accounts are not administrative accounts, or other “human” accounts, used interactively by administrators or other employees. Service accounts also often have privileged access to computers, applications, and data, which makes them highly valuable to attackers.
What Makes Securing Service Accounts so Difficult?
Because service accounts are not tied directly to a human, they must be treated differently from other accounts. One example is password policies. It may be acceptable to require very long and complex passwords for service accounts, because you don’t have to worry about a human forgetting them. On the other hand, it is hard to set password expiration policies because resetting a service account password may break an application.
That means once a password is compromised by an attacker, it is unlikely to change for a long time, if ever.
What Can You Do to Protect Service Accounts?
There are measures you can take to protect service accounts, but unfortunately, some companies don’t implement them. By putting in place proper controls like restricting interactive logons or automating password management, you can prevent the misuse and compromise of service accounts.
How Do Attackers Take Advantage of Service Accounts?
There are several ways attackers exploit the things that make service accounts unique in order to compromise them and leverage their privileged access.
Over the next four weeks, I’m going to detail four (4) service account attacks. I’ll explain how they work, the techniques and tools bad actors use to perpetrate these attacks, and what you can do to stop them. Here’s the lineup:
- Service Account Attack #1 – LDAP Reconnaissance with PowerShell: Discovering Service Accounts without Using Privileges Read Now
- Service Account Attack #2 – Extracting Service Account Passwords with Kerberoasting Read Now
- Service Account Attack #3 – Targeted Service Account Exploitation with Silver Tickets Read Now
- Service Account Attack #4 – Exploiting the KRBTGT Service Account for Golden Tickets Read Now
To watch the Service Account Attacks webinar, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Related Posts
- Understanding Lateral Movement and Privilege Escalation
- SERVER (UN)TRUST ACCOUNT
- Making Internal Reconnaissance Harder Using NetCease and SAMRi10
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant
- Detecting Persistence through Active Directory Extended Rights
- Lateral Movement Through Pass-the-Cache
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
Leave a Reply