Service Account Abuse Detection

AuthenticationAttacks Windows Security Service Account Compromise

What This Means

Detect unauthorized use of service accounts in your environment. Identify stolen service credentials, Kerberoasting targets, and service account misuse for lateral movement.

Example Log

An account was successfully logged on.
Account Name: svc_backup
Logon Type: 3
Source Network Address: 10.0.9.55
Authentication Package: NTLM

-- Note: svc_backup should only authenticate from BACKUP01 (10.0.1.10)

Indicators of Suspicious Activity

Service account authenticating from unexpected workstations or servers
Interactive logon (Type 2 or 10) for accounts that should only use Type 5 (service)
Service account used to access resources outside its designated scope
NTLM authentication for service accounts that should use Kerberos
Service account activity outside its normal operational schedule
Failed logon attempts against service accounts from unusual sources

How to Investigate

Document the intended scope of each service account (what host, what service, what time)
Compare current authentication patterns against the documented scope
Check if the service accounts password was recently changed
Review Kerberos ticket requests (Event 4769) for the service account SPN
Determine if any lateral movement occurred from the authenticating workstation
Verify the service account has not been added to privileged groups

Recommended Mitigations

Implement Group Managed Service Accounts (gMSA) with auto-rotating passwords
Restrict service account logon to specific computers using logon restrictions
Deny interactive and remote interactive logon for all service accounts
Monitor service account authentication and alert on any deviation from baseline
Rotate service account passwords on a 90-day cycle
Audit service accounts quarterly for unnecessary privileges and scope creep

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 1 + 8?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Why are service accounts attractive targets for attackers? ▼

Service accounts often have elevated privileges, rarely have MFA, frequently use static passwords that are never rotated, and their activity is less monitored than interactive user accounts.

What is Kerberoasting and how does it target service accounts? ▼

Kerberoasting exploits the fact that any authenticated domain user can request a Kerberos service ticket for any account with an SPN. The ticket is encrypted with the service accounts password hash, which can be cracked offline.

How do I audit all service accounts in Active Directory? ▼

Search for accounts with ServicePrincipalName set, accounts with 'Password Never Expires' flag, accounts in service-related OUs, and accounts with 'svc_' or similar naming conventions.