Files
Anthropic-Cybersecurity-Skills/skills/detecting-service-account-abuse/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB

API Reference: Service Account Abuse Detection

Active Directory PowerShell Module

Get Service Accounts (SPN-based)

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties `
    ServicePrincipalName, LastLogonDate, Enabled, PasswordLastSet, `
    PasswordNeverExpires, AdminCount, MemberOf

Get Managed Service Accounts

Get-ADServiceAccount -Filter * -Properties `
    PrincipalsAllowedToRetrieveManagedPassword, LastLogonDate

Check Kerberos Delegation

Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties `
    TrustedForDelegation, TrustedToAuthForDelegation, `
    msDS-AllowedToDelegateTo

Windows Event Log Queries

Logon Type Values

Type Description Concern for Service Accounts
2 Interactive HIGH — should not happen
3 Network Normal for services
5 Service Normal
10 RemoteInteractive (RDP) HIGH — should not happen

Event IDs

ID Log Description
4624 Security Successful logon
4625 Security Failed logon
4648 Security Explicit credential use
4672 Security Special privilege logon
4720 Security Account created
4738 Security Account modified

Microsoft Graph API — Service Principal Audit

List Service Principals

GET https://graph.microsoft.com/v1.0/servicePrincipals
Authorization: Bearer {token}

List App Role Assignments

GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments

Audit Sign-In Logs

GET https://graph.microsoft.com/v1.0/auditLogs/signIns
    ?$filter=appId eq '{service-principal-app-id}'

AWS IAM — Service Role Audit

List service-linked roles

aws iam list-roles --query "Roles[?starts_with(Path, '/aws-service-role/')]"

Get role last used

aws iam get-role --role-name MyServiceRole \
    --query "Role.RoleLastUsed"

Access Analyzer findings

aws accessanalyzer list-findings --analyzer-arn {arn} \
    --filter '{"resourceType":{"eq":["AWS::IAM::Role"]}}'