Info
ID: AT-EC004.001
Technique: Service-to-Service Trust Abuse
Tactic: Expanding Control
Platforms: Linux, macOS, Windows, IaaS
Permissions Required: User, Service Account
Version: 1.0
Overprivileged Service Account Exploitation
Overprivileged Service Account Exploitation occurs during the Expanding Control phase when attackers leverage service accounts that possess excessive permissions beyond what is required for their intended function. Within the Service-to-Service Trust Abuse technique, this sub-technique focuses on identifying and exploiting service accounts that have been assigned unnecessarily broad privileges or access rights. Attackers who have compromised a system can enumerate service accounts, analyze their permission sets, and exploit those with elevated privileges to extend their access across the environment. These overprivileged accounts - often created for automation, application-to-application communication, or database access - frequently have persistent, long-lived credentials and minimal monitoring, making them ideal targets for lateral movement. The exploitation typically involves extracting credentials from configuration files, memory, or connection strings, then leveraging the account's excessive permissions to access sensitive systems, data stores, or cloud resources that would otherwise be inaccessible from the initially compromised position. This represents a critical security weakness where the principle of least privilege has not been properly implemented, allowing attackers to significantly escalate their foothold within an organization's infrastructure.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0025 | Cloud Service Enumeration | Audit IAM role policy events; surface accounts that suddenly gain * permissions or more than x services relative to baseline. |
| DS0002 | User Account Authentication | Detect service accounts authenticating from new IP ranges or outside typical time-windows. |
| DS0009 | Process Metadata | Alert when processes run under service-account UIDs attempt privileged syscalls (e.g., setns, mount) uncommon for that workload. |
| DS0030 | Cloud Service Metadata | Identify API calls where service account assumes another role/project unexpectedly. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Adopt permission boundary/ABAC for service accounts; schedule automated weekly least-privilege re-calculations. |
| M1018 | User Account Management | Enforce customer-managed keys for service-account secrets and disable long-lived keys. |
| M1051 | Update Software | Regularly update cloud-SDK/CLI images to inherit provider least-privilege defaults & fix over-provisioned legacy roles. |