Human Account with Service Account Attributes
Description
A user account configured service principal with the 'ServicePrincipalName' attribute, which is typically reserved for service accounts. This misconfiguration expands the attack surface and introduces multiple risks:
-
Potential misuse as a disguised backdoor account: Allowing unauthorized or stealthy access
-
Exposure to Kerberoasting attacks: Adversaries can request Kerberos service tickets and attempt to crack the user's password offline. Given it has a human-controlled password, any 8-character password can be cracked within seconds.
-
Unauthorized or disguised access to services: The assigned SPNs may allow the account to authenticate to services in ways normally intended for service accounts, complicating detection and monitoring.

Risk triggers
- Checking NHI configuration if the 'ServicePrinicpalName' attribute is set on the identity.
Mitigation
Investigate potential suspicious activity.
-
Deactivate Access Token
- There are instructions per integration in the platform to verify activity and revoke the tokens