Listen to this Post

Introduction:
Non-human identities (NHIs)—including service accounts, API keys, machine-to-machine credentials, and CI/CD secrets—now outnumber human identities in most organizations, yet they remain chronically under-governed. As highlighted in a recent RISKINTEL roundtable, attackers are shifting focus from hunting zero-day exploits to abusing these “phantom” connections, which often have excessive privileges and no human oversight. With AI accelerating the discovery and exploitation of weak NHI configurations, securing these identities has become the new battleground for enterprise cybersecurity.
Learning Objectives:
- Identify and enumerate non-human identities across Linux and Windows environments using native commands and open-source tools.
- Apply least privilege, rotation policies, and detection rules to mitigate NHI-based attacks.
- Leverage AI-aware identity governance frameworks (e.g., Anthropic’s Glasswind principles) to future-proof access controls.
You Should Know:
1. Mapping the Phantom Kingdom: Enumerating Non-Human Identities
Non-human identities are often invisible in standard user directories. Attackers (and defenders) must first discover where they hide. Below are verified commands for locating service accounts, scheduled task credentials, API keys, and machine identities.
Linux – Find Service Account Contexts
List all systemd services and the user they run as
systemctl list-units --type=service --all | grep -E '(@|.service)' | awk '{print $1}' > services.txt
for svc in $(cat services.txt); do echo -n "$svc: "; systemctl show -p User $svc | cut -d= -f2; done
Find processes with non-human UIDs (UID < 1000 typically human, but service accounts can be >1000)
ps aux | awk '$1 !~ /root|daemon|nobody/ && $1 ~ /^[a-z]/ && $1 != USER {print $1}' | sort -u
Locate API keys in common config files (requires root or appropriate read access)
grep -r --include=".env" --include=".conf" --include=".yml" -E "(API_KEY|SECRET|TOKEN|PASSWORD)=" /etc /opt 2>/dev/null
Windows – Enumerate Service Accounts and Scheduled Task Credentials
List all services with their start name (shows local system, network service, or custom domain accounts)
Get-WmiObject win32_service | Select-Object Name, StartName | Format-Table -AutoSize
Find scheduled tasks that run with specific credentials (non-system)
Get-ScheduledTask | ForEach-Object { $task = $_; $task.Principal.UserId } | Where-Object {$_ -and $_ -notlike "SYSTEM" -and $_ -notlike "NT AUTHORITY"} | Sort-Object -Unique
Expose stored credentials in Windows Credential Manager (non-human entries)
cmdkey /list | findstr /v "User:"
Step‑by‑step guide:
- Run the Linux service enumeration to build an inventory of systemd units and their associated users. Pay special attention to any service running as a non-standard account (e.g.,
app_svc,jenkins). - On Windows, use the PowerShell commands to extract all service start names. Flag any service using a domain user account instead of
LocalSystem,NetworkService, orLocalService—these are high-value NHIs. - Cross-reference the discovered NHIs with your identity management solution. Remove or rotate any credential that hasn’t been used in 90 days.
2. The Glasswind Imperative: AI-Driven Identity Governance
Anthropic’s Glasswind project (referenced in the roundtable comments) redefines NHI governance by applying behavioral AI to detect anomalous access patterns. Instead of static rules, Glasswind models normal machine-to-machine communication and flags deviations that could indicate credential theft or lateral movement.
Simulating Glasswind-style Detection with Open Source Tools
Using auditd on Linux to track which service accounts access which files
auditctl -w /etc/ -p wa -k nhiaudit
ausearch -k nhiaudit --format raw | awk '{print $NF}' | sort | uniq -c
Monitor API key usage via proxy logs (example with Zeek)
zeek -C -r capture.pcap
cat http.log | grep -E "X-API-Key|Authorization: Bearer" | zeek-cut id.orig_h host uri
Windows – Advanced Audit for NHI Activity
Enable Process Tracking to see which accounts launch what executables
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Query Security Event Log for service account logins (Event ID 4624)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$<em>.Properties[bash].Value -like "SERVICE"} | Select-Object TimeCreated, @{n='Account';e={$</em>.Properties[bash].Value}}
Step‑by‑step guide for implementing AI-aware NHI controls:
- Deploy an audit trail for all NHI authentications—collect logs from Linux (
/var/log/auth.log), Windows (Security events), and API gateways. - Feed these logs into a SIEM or a machine learning pipeline (e.g., using Python’s `scikit-learn` Isolation Forest) to baseline normal NHI behavior.
- Set alert thresholds: an NHI accessing a resource it never touched before, or logging in from an unusual IP, should trigger an immediate investigation and automatic credential rotation if possible.
-
No Zero-Day Needed: Exploiting and Mitigating NHI Weaknesses
Attackers don’t need vulnerabilities—they just need an overprivileged service account. A typical attack path: dump `lsass` memory on Windows for service account hashes, or steal a CI/CD `GITHUB_TOKEN` from a runner’s environment. Below are both exploitation (for red team) and mitigation (for blue team) commands.
Red Team: Harvest NHI Credentials
Linux: Extract secrets from process memory of a running service (requires ptrace) gdb -p $(pgrep -f "myservice") -ex "dump memory /tmp/service_mem.dump 0x0 0x7ffffffff000" -ex quit strings /tmp/service_mem.dump | grep -E "KEY|SECRET|PASS" Windows: Dump service account hashes from LSASS (using mimikatz) mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
Blue Team: Mitigations That Actually Work
Linux: Restrict service accounts to specific commands using sudoers visudo -f /etc/sudoers.d/service_restrict Add line: app_svc ALL=(ALL) /usr/bin/systemctl restart app, /usr/bin/logger
Windows: Remove service account from local administrators group Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\svc_sql_backup" Enforce Managed Service Accounts (gMSA) to auto-rotate passwords New-ADServiceAccount -Name "gmsa-webapp" -DNSHostName webapp.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "WEB_SERVERS"
Step‑by‑step guide for hardening:
- Audit every NHI’s privileges. On Windows, use `Get-ADServiceAccount` or `sc qc
` to see granted rights. On Linux, check sudo entries and file ownership. - Convert traditional service accounts to group Managed Service Accounts (gMSA) on Windows or use short-lived tokens (e.g., Vault) on Linux.
- Implement just-in-time (JIT) access for NHIs: a CI/CD pipeline fetches a temporary credential from HashiCorp Vault, uses it for the build, then discards it.
-
API Keys as the New Passwords: Rotation and Detection
API keys are the most abused NHI because they live in code, configs, and logs. Attackers scan GitHub, Slack, and internal wikis for exposed keys. Defenders must treat API keys like passwords—with rotation, scope limiting, and anomaly detection.
Scan for Exposed API Keys in Your Repositories
Using truffleHog (install via pip)
trufflehog github --repo=https://github.com/yourcompany/yourrepo --results=verified,unknown
Search local file system for high-entropy strings (potential keys)
find /home -type f -exec strings {} \; | grep -E "[A-Za-z0-9]{32,}" | sort -u
Automate API Key Rotation with a Script (Python example)
import boto3
import os
Rotate AWS IAM access key for a service account
iam = boto3.client('iam')
username = 'ci-cd-service'
new_key = iam.create_access_key(UserName=username)
print(f"New key: {new_key['AccessKey']['AccessKeyId']}")
Update the key in your secrets manager (e.g., AWS Secrets Manager)
Then delete the old key after propagation
old_key_id = os.environ['OLD_ACCESS_KEY']
iam.delete_access_key(UserName=username, AccessKeyId=old_key_id)
Step‑by‑step guide for API key hygiene:
- Run truffleHog weekly against your code repositories and CI logs.
- Implement mandatory key rotation every 30–90 days using infrastructure-as-code (Terraform or CloudFormation).
- Use API gateways (e.g., Kong, AWS API Gateway) to inject rate limiting and geo-fencing for each key.
What Undercode Say:
- Attackers don’t need zero-days; they need patience and an overprivileged service account. The roundtable’s core insight—that NHIs are the soft underbelly of modern enterprises—is validated by every major breach of the past two years.
- AI will both weaponize and defend NHIs. As Fabien Miquet noted, AI can accelerate credential stuffing against API endpoints, but the same AI (via projects like Glasswind) can learn normal machine behavior and spot lateral movement in seconds.
- Identity governance must shift from human-centric to machine-centric. Most IAM tools ignore service accounts. You need dedicated NHI discovery and lifecycle management—treat every API key, robot account, and CI/CD token as a potential backdoor.
- Mitigation is not about removing NHIs; it’s about making them ephemeral. Short-lived tokens, JIT access, and automated rotation break the attacker’s patience. If a credential is valid for only 15 minutes, exfiltrating it is nearly useless.
- The Glasswind reference is a wake-up call. Anthropic’s research shows that large language models can now autonomously discover and exploit misconfigured NHIs. Defenders must adopt AI-driven anomaly detection to keep pace.
Prediction:
Within 24 months, non-human identity breaches will surpass human identity breaches in frequency and impact. Regulatory frameworks (like a future “NHI GDPR”) will mandate quarterly service account reviews and automated rotation. AI-powered identity threat detection will become a standard SIEM module, and organizations that still rely on static, long-lived API keys will face catastrophic supply chain attacks. The battle for enterprise security has moved from the perimeter to the phantom connections—and the winners will be those who treat every machine credential as a loaded gun.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jmetayer Une – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


