Exploitation - gMS accounts (gMSAs)
Active Directory - group Managed Service Accounts (gMSAs)
Overview
Introduced in Windows Server 2012
, group Managed Service Accounts (gMSAs)
are service accounts managed by the Active Directory domain services. gMSAs
address a shortcoming of standalone Managed Service Accounts (MSA)
, that were introduced in Windows Server 2008
, and were only usable on a single computer. gMSAs
use 240-byte passwords, generated and periodically rotated - 30 days by default - by (writable) Domain Controllers using the domain Key Distribution Services (KDS)
root key
.
gMSAs
created using the New-ADServiceAccount
PowerShell cmdlet are by default placed in the default managed service accounts container (CN=Managed Service Accounts,<DOMAIN_ROOT>
).
gMSAs
are objects of class ms-DS-Group-Managed-Service-Account
(subclass of Computer
) with the following additional attributes:
msDS-GroupMSAMembership
(PrincipalsAllowedToRetrieveManagedPassword
): defines which security principal(s) can retrieve thegMSA
password (in themsds-ManagedPassword
attribute). It corresponds to a security descriptor, with principal(s) having the right to retrieve thegMSA
password being granted theRIGHT_DS_READ_PROPERTY
access control right.msds-ManagedPassword
: aMSDS-MANAGEDPASSWORD_BLOB
that contains thegMSA
's previous and current clear-text password, as well the expiration timers of the current password. Themsds-ManagedPassword
attribute is a constructed attribute, calculated by a (writable) Domain Controller upon each query using theKey Distribution Services (KDS)
root key
and the key identifiers.msDS-ManagedPasswordId
andms-DS-ManagedPasswordPreviousId
: contain the key identifier used to compute, respectively, the current and previous password of thegMSA
.ms-DS-ManagedPasswordInterval
: contains the interval period in days under which thegMSA
's password will be rotated. By default, the rotation period is 30 days.
gMSAs enumeration
The PowerShell ActiveDirectory
module can be used to enumerate the gMSAs
:
gMSAs ACL enumeration and msDS-GroupMSAMembership modification
Refer to the [ActiveDirectory] ACL exploiting
note (group Managed Service Accounts (gMSA)
section) for more information on techniques and tools to modify gMSAs
's msDS-GroupMSAMembership
attribute.
gMSAs password retrieval
Multiple tools and utilities can be used to retrieve a gMSA
account password, and further derivate its NTLM
/ NTHash
and Kerberos
secrets (AES 128
and AES 256
keys):
References
https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount
https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/
https://it-central.fr/wp-content/uploads/2017/05/202938243-Comptes-et-groupes-de-services-VSA-MSA-gMSA-tuto-de-A-a-Z.pdf
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#readgmsapassword
Last updated