detecting-service-account-abuse
Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
Best use case
detecting-service-account-abuse is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
Teams using detecting-service-account-abuse should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-service-account-abuse/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-service-account-abuse Compares
| Feature / Agent | detecting-service-account-abuse | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Detecting Service Account Abuse ## When to Use - When proactively hunting for indicators of detecting service account abuse in the environment - After threat intelligence indicates active campaigns using these techniques - During incident response to scope compromise related to these techniques - When EDR or SIEM alerts trigger on related indicators - During periodic security assessments and purple team exercises ## Prerequisites - EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne) - SIEM with relevant log data ingested (Splunk, Elastic, Sentinel) - Sysmon deployed with comprehensive configuration - Windows Security Event Log forwarding enabled - Threat intelligence feeds for IOC correlation ## Workflow 1. **Formulate Hypothesis**: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis. 2. **Identify Data Sources**: Determine which logs and telemetry are needed to validate or refute the hypothesis. 3. **Execute Queries**: Run detection queries against SIEM and EDR platforms to collect relevant events. 4. **Analyze Results**: Examine query results for anomalies, correlating across multiple data sources. 5. **Validate Findings**: Distinguish true positives from false positives through contextual analysis. 6. **Correlate Activity**: Link findings to broader attack chains and threat actor TTPs. 7. **Document and Report**: Record findings, update detection rules, and recommend response actions. ## Key Concepts | Concept | Description | |---------|-------------| | T1078.002 | Domain Accounts | | T1078.001 | Default Accounts | | T1021 | Remote Services | ## Tools & Systems | Tool | Purpose | |------|---------| | CrowdStrike Falcon | EDR telemetry and threat detection | | Microsoft Defender for Endpoint | Advanced hunting with KQL | | Splunk Enterprise | SIEM log analysis with SPL queries | | Elastic Security | Detection rules and investigation timeline | | Sysmon | Detailed Windows event monitoring | | Velociraptor | Endpoint artifact collection and hunting | | Sigma Rules | Cross-platform detection rule format | ## Common Scenarios 1. **Scenario 1**: Service account RDP to domain controller 2. **Scenario 2**: SQL service accessing file shares outside scope 3. **Scenario 3**: Backup service lateral movement off-hours 4. **Scenario 4**: Compromised svc with DA privileges used for DCSync ## Output Format ``` Hunt ID: TH-DETECT-[DATE]-[SEQ] Technique: T1078.002 Host: [Hostname] User: [Account context] Evidence: [Log entries, process trees, network data] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] Recommended Action: [Containment, investigation, monitoring] ```
Related Skills
performing-soap-web-service-security-testing
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
performing-service-account-credential-rotation
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
performing-service-account-audit
Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant accounts. This skill covers discovery of service accounts in Active Directory, cloud pl
performing-privileged-account-discovery
Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local admins, service accounts, database admins, cloud IAM roles, and application admin account
performing-privileged-account-access-review
Conduct systematic reviews of privileged accounts to validate access rights, identify excessive permissions, and enforce least privilege across PAM infrastructure.
performing-aws-account-enumeration-with-scout-suite
Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify misconfigurations, and generate actionable security reports.
implementing-mtls-for-zero-trust-services
Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate generation and ssl module for TLS verification. Validates certificate chains, checks expiration, and audits mTLS deployment status. Use when implementing zero-trust service-to-service authentication.
implementing-api-abuse-detection-with-rate-limiting
Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent DDoS, brute force, and credential stuffing attacks.
hunting-for-unusual-service-installations
Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.
hunting-for-t1098-account-manipulation
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs.
exploiting-constrained-delegation-abuse
Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation.
exploiting-active-directory-certificate-services-esc1
Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates as high-privileged users and escalate domain privileges during authorized red team assessments.