Skip to content

Human Account with Service Account Attributes

Description

A user account configured service principal with the 'ServicePrincipalName' attribute, which is typically reserved for service accounts. This misconfiguration expands the attack surface and introduces multiple risks:

  • Potential misuse as a disguised backdoor account: Allowing unauthorized or stealthy access

  • Exposure to Kerberoasting attacks: Adversaries can request Kerberos service tickets and attempt to crack the user's password offline. Given it has a human-controlled password, any 8-character password can be cracked within seconds.

  • Unauthorized or disguised access to services: The assigned SPNs may allow the account to authenticate to services in ways normally intended for service accounts, complicating detection and monitoring.

Risk triggers

  • Checking NHI configuration if the 'ServicePrinicpalName' attribute is set on the identity.

Mitigation

Investigate potential suspicious activity.

  • Deactivate Access Token

    • There are instructions per integration in the platform to verify activity and revoke the tokens