Your ITSM knows everything, and an attacker can export it
ServiceNow holds tickets, asset inventory, secrets pasted into fields, and integrations into everything. A compromised account or a permissive ACL turns it into a data-exfil and pivot point. Here is the risk, and the fix.
Your service desk is a map of your whole environment, with the passwords helpfully pasted in.
What it is
ServiceNow runs IT service management: incidents, the CMDB, change records, and a web of integrations into other systems, often with credentials and secrets pasted into ticket fields. An attacker who compromises an account or token, or finds an over-permissive ACL, queries and exports tables in bulk, harvests secrets from ticket text, and uses ServiceNow’s integrations to pivot. This is T1078 (valid accounts) with T1213 (data from information repositories) and T1567 (exfiltration over a web service).
Why it works
ACLs are easy to misconfigure, the export and API features are normal, and sensitive data accumulates in free-text fields. It is a high-value, well-connected target.
How to detect it
Look for bulk record exports, broad table queries, and integration use from an account that does not normally do so, in the ServiceNow audit and instance logs.
The fix that holds
Least-privilege roles and tight ACLs, restrict export and API access, keep secrets out of ticket fields (use a vault), enable instance logging, and alert on bulk exports. Treat a bulk pull as a data breach.
Practice it
We built a ServiceNow exfiltration scenario in GraphLattice Range so teams learn to watch the export path and keep secrets out of tickets.