CINXE.COM

Attacking Active Directory Group Managed Service Accounts (GMSAs) – Active Directory Security

<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Attacking Active Directory Group Managed Service Accounts (GMSAs) &#8211; Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <style id='akismet-widget-style-inline-css' type='text/css'> .a-stats { --akismet-color-mid-green: #357b49; --akismet-color-white: #fff; --akismet-color-light-grey: #f6f7f7; max-width: 350px; width: auto; } .a-stats * { all: unset; box-sizing: border-box; } .a-stats strong { font-weight: 600; } .a-stats a.a-stats__link, .a-stats a.a-stats__link:visited, .a-stats a.a-stats__link:active { background: var(--akismet-color-mid-green); border: none; box-shadow: none; border-radius: 8px; color: var(--akismet-color-white); cursor: pointer; display: block; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen-Sans', 'Ubuntu', 'Cantarell', 'Helvetica Neue', sans-serif; font-weight: 500; padding: 12px; text-align: center; text-decoration: none; transition: all 0.2s ease; } /* Extra specificity to deal with TwentyTwentyOne focus style */ .widget .a-stats a.a-stats__link:focus { background: var(--akismet-color-mid-green); color: var(--akismet-color-white); text-decoration: none; } .a-stats a.a-stats__link:hover { filter: brightness(110%); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.06), 0 0 2px rgba(0, 0, 0, 0.16); } .a-stats .count { color: var(--akismet-color-white); display: block; font-size: 1.5em; line-height: 1.4; padding: 0 13px; white-space: nowrap; } </style> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"88eee815fb"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/posts/4367" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?p=4367" /> <link rel='shortlink' href='https://adsecurity.org/?p=4367' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D4367" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D4367&#038;format=xml" /> <script type="text/javascript"> var _statcounter = _statcounter || []; _statcounter.push({"tags": {"author": "SeanMetcalf"}}); </script> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","mainEntityOfPage":"https:\/\/adsecurity.org\/?p=4367","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"Attacking Active Directory Group Managed Service Accounts (GMSAs)","datePublished":"2020-05-29T10:00:00+00:00","dateModified":"2020-05-29T14:06:20+00:00","description":"In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called \"Securing Active Directory: Resolving Common Issues\" and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2020\/05\/image-41.png","https:\/\/adsecurity.org\/wp-content\/uploads\/2020\/05\/image-42.png","https:\/\/adsecurity.org\/wp-content\/uploads\/2020\/05\/image-51-768x431.png"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="Attacking Active Directory Group Managed Service Accounts (GMSAs)" /> <meta property="og:url" content="https://adsecurity.org/?p=4367" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called &quot;Securing Active Directory: Resolving Common Issues&quot; and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I ..." /> <meta property="og:updated_time" content="2020-05-29T14:06:20+00:00" /> <meta property="article:modified_time" content="2020-05-29T14:06:20+00:00" /> <meta property="article:published_time" content="2020-05-29T10:00:00+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2020/05/image-47.png" /> <meta property="og:image:width" content="1129" /> <meta property="og:image:height" content="630" /> </head> <body class="post-template-default single single-post postid-4367 single-format-standard custom-background wp-embed-responsive layout-boxed one_column singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations&#039;s RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory &amp; Enterprise Security, Methods to Secure Active Directory, Attack Methods &amp; Effective Defenses, PowerShell, Tech Notes, &amp; Geek Trivia&#8230;</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense &#038; Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-12"> <div class="post-nav post-nav-top clearfix"> <p class="previous col-sm-6"><i class="fa fa-arrow-circle-left"></i> <a href="https://adsecurity.org/?p=4277" rel="prev">From Azure AD to Active Directory (via Azure) &#8211; An Unanticipated Attack Path</a></p> <p class="next-post col-sm-6"><a href="https://adsecurity.org/?p=4426" rel="next">Hardening Azure AD in the Face of Emerging Threats</a> <i class="fa fa-arrow-circle-right"></i></p> </div> <div id="post-4367" class="clearfix post post-4367 type-post status-publish format-standard hentry category-activedirectorysecurity category-hacking category-microsoft-security tag-clear-text-password tag-computer-account tag-convertto-nthash tag-dsinternals tag-get-adreplaccount tag-get-adserviceaccount tag-gmsa tag-gmsa-password tag-gmsa-password-hash tag-gmsa-spn tag-group-managed-service-accounts tag-kerberos tag-kerberos-spn tag-lsass tag-mimikatz tag-msds-groupmanagedserviceaccount tag-msds-groupmsamembership tag-msds-managedpassword tag-msds-managedpasswordid tag-msds-managedpasswordinterval tag-msds-managepasswordinterval tag-principalsallowedtoretrivemanagedpassword tag-psexec tag-sekurlsaekeys tag-sekurlsalogonpasswords tag-service-principal-name tag-serviceprincipalnames tag-spn tag-system tag-_sa_ item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">May</span> <span class="day">29</span> <span class="year">2020</span> </p> </div> <h1 class="post-title entry-title"> Attacking Active Directory Group Managed Service Accounts (GMSAs) </h1> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-565" href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a>, <a class="term term-category term-1039" href="https://adsecurity.org/?cat=1039">Hacking</a>, <a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>In May 2020, I presented some Active Directory security topics in a <a href="https://www.hub.trimarcsecurity.com/post/webcast-securing-active-directory-resolving-common-issues">Trimarc Webcast called &#8220;Securing Active Directory: Resolving Common Issues&#8221;</a> and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.<br>I put this information together after speaking with someone about using GMSAs running services on servers that have privileged AD rights and there was confusion about what GMSAs actually do and what they can&#8217;t. The confusion seemed to be rooted in the belief that GMSA credentials are protected more than regular accounts (they aren&#8217;t). The key benefit is that their passwords change automatically, not that the credential data has stronger protections. </p> <p>This post is meant to highlight what GMSAs can do and what an attacker can do if not protected appropriately. We have seen limited usage of Group Managed Service Accounts in AD environments when we perform <a href="http://trimarc.co/ADSA">Active Directory Security Assessments at Trimarc</a>. GMSAs should be used wherever possible to replace user accounts as service accounts since the passwords will rotate automatically.</p> <p><strong>Group Managed Service Accounts (GMSAs)</strong><br>User accounts created to be used as service accounts rarely have their password changed. <a href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">Group Managed Service Accounts (GMSAs) </a>provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. This means that the GMSA has to have security principals explicitly delegated to have access to the clear-text password. Much like with other areas where delegation controls access (<a href="https://adsecurity.org/?p=3164">LAPS</a>), determining who should have be delegated access needs to be be carefully considered.</p> <p><span style="text-decoration: underline;">Key Points for Group Managed Service Accounts (GMSAs) :</span></p> <ul><li>The GMSA password managed by AD.</li><li>Computers hosting GMSA service account(s) request current password from Active Directory to start service.</li><li>Configure the GMSA to allow computer accounts access to password.</li><li>If an attacker compromises computer hosting services using GMSA, the GMSA is compromised.</li><li>If attacker compromises an account with rights to request GMSA password, the GMSA is compromised.</li></ul> <p>Group Managed Service Accounts have the object class &#8220;<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/219549d4-39eb-4771-bb8c-b3593ff6be48">msDS-GroupManagedServiceAccount</a>&#8221; and associated attributes specific to GMSAs. These properties include:</p> <ul><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-groupmsamembership">msDS-GroupMSAMembership</a> (PrincipalsAllowedToRetrieveManagedPassword) &#8211; stores the security principals that can access the GMSA password.</li><li><a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/9cd2fc5e-7305-4fb8-b233-2a60bc3eec68">msds-ManagedPassword</a> &#8211; This attribute contains a BLOB with password information for group-managed service accounts.</li><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordid">msDS-ManagedPasswordId</a> &#8211; This constructed attribute contains the key identifier for the current managed password data for a group MSA.</li><li><a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a> &#8211; This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.<br></li></ul> <figure class="wp-block-image alignfull size-large"><img fetchpriority="high" decoding="async" width="1024" height="248" src="https://adsecurity.org/wp-content/uploads/2020/05/image-48-1024x248.png" alt="" class="wp-image-4383" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-48-1024x248.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-300x73.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-768x186.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-48-1536x372.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-48.png 1942w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Running the AD PowerShell cmdlet Get-ADServiceAccount, we can retrieve information about the GMSA, including specific GMSA attrbiutes. This GMSA is a member of the domain Administrators group which has full AD &amp; DC admin rights to the domain. The screenshot shows that the password changed recently and won鈥檛 change for a few weeks &#8211; changed on 5/11/2020 and configured to change every 30 days. This means that if we can get the password for this account, we have almost a month to use the account credentials before it changes. We can also identify a group that can retrieve the password data. We&#8217;ll take a look at this is a bit.</p> <span id="more-4367"></span> <p><strong>Gaining Access to a Server Running a Service as a Group Managed Service Accoun</strong>t<br><br>Once we get on the server/servers running services under the context of the GMSA we have some options. Let鈥檚 take a look&#8230;</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img decoding="async" width="1024" height="319" src="https://adsecurity.org/wp-content/uploads/2020/05/image-49-1024x319.png" alt="" class="wp-image-4384" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-49-1024x319.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-49-300x94.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-49-768x240.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-49-1536x479.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-49.png 1654w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div> <p>We can identify the LCNSQL01 server is registered as a Service Principal Name (SPN) on the GMSA and we see this server is in the Servers OU.<br><br>If we can compromise an account with rights to the Servers OU, or delegated admin rights via GPO Restricted Groups or similar, or have the ability to modify a GPO that links to this OU, we can we can get admin rights on the LCN server</p> <figure class="wp-block-image alignfull size-large"><img decoding="async" width="1024" height="38" src="https://adsecurity.org/wp-content/uploads/2020/05/image-40-1024x38.png" alt="" class="wp-image-4374" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-40-1024x38.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-40-300x11.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-40-768x28.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-40.png 1247w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>After getting admin rights on the server associated with the GMSA, we can see there is a service running under the context of the GMSA (I cheated here and configured Windows License Manager Service to start with this account).</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="732" height="779" src="https://adsecurity.org/wp-content/uploads/2020/05/image-41.png" alt="" class="wp-image-4375" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-41.png 732w, https://adsecurity.org/wp-content/uploads/2020/05/image-41-282x300.png 282w" sizes="(max-width: 732px) 100vw, 732px" /></figure> <p>Since there&#8217;s a service running under the context of an account, we can get the password data associated with the service account. Here we use <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz </a>to dump LSASS using sekurlsa::logonpasswords. <br><br>That鈥檚 interesting, the password looks a bit unusual: &#8220;_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}&#8221;<br><br>That&#8217;s not a standard password (and not actually the one associated with the account). What鈥檚 more, this password hash isn鈥檛 correct. Microsoft loads the GMSA credential into LSASS but doesn鈥檛 seem to use it.</p> <p>To get the right NT password hash we need to use the <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz </a>command &#8220;Sekurlsa::ekeys&#8221; which is what鈥檚 used to get Kerberos tickets.</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="703" src="https://adsecurity.org/wp-content/uploads/2020/05/image-50-1024x703.png" alt="" class="wp-image-4385" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-50-1024x703.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-50-300x206.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-50-768x527.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-50.png 1454w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>After running this Mimikatz command, we are able to see password hash. With this password hash, we can pass the hash (PTH) to compromise AD. </p> <p>But what if we couldn鈥檛 get access to the server itself?<br><br><strong>Compromising an Account with GMSA Password Access</strong><br>We know there is a group configured with rights to get the GMSA password, let鈥檚 take a look at that.</p> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="574" src="https://adsecurity.org/wp-content/uploads/2020/05/image-51-1024x574.png" alt="" class="wp-image-4386" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-51-1024x574.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-51-300x168.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-51-768x431.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-51-1536x861.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-51.png 1898w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>The <a href="https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-groupmsamembership">msDS-GroupMSAMembership</a> (PrincipalsAllowedToRetrieveManagedPassword) attribute contains a group called &#8220;SVC-LAB-GMSA1 Group&#8221;. This attribute controls who can request and receive the clear-text password.<br><br>When enumerating the membership of the group &#8220;SVC-LAB-GMSA1 Group&#8221; there are computers, users, and another group (&#8220;Server Admins&#8221;), so lets check the members of that group.</p> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="574" src="https://adsecurity.org/wp-content/uploads/2020/05/image-52-1024x574.png" alt="" class="wp-image-4387" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-52-1024x574.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-52-300x168.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-52-768x430.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-52-1536x861.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-52.png 1892w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Now we have a list of all accounts that can get the clear-text password for the GMSA. There are 11 user accounts with that ability and 9 of those look like regular user accounts (hint: they are!). That&#8217;s a big problem.<br>Compromise one of those and the GMSA account is compromised and since it鈥檚 a member of the Administrators group in the domain, we own the domain.</p> <p>Once we compromise a user (or computer!) account that has the ability to pull the clear text password. (PrincipalsAllowedToRetriveManagedPassword), we can request that using the Microsoft PowerShell cmdlet Get-ADServiceAccount.<br><br>We can leverage the PowerShell cmdlet Get-ADServiceAccount to get the clear-text password data for the GMSA (attribute msds-ManagedPassword). Using the <a href="https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/">DSInternals module (ConvertTo-NTHash)</a>, we can convert the clear-text password blob to the NT hash.</p> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="199" src="https://adsecurity.org/wp-content/uploads/2020/05/image-53-1024x199.png" alt="" class="wp-image-4389" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-53-1024x199.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-53-300x58.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-53-768x149.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-53-1536x298.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-53.png 1916w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>If the account we are able to compromise is the computer account, we need to run these commands as SYSTEM on the computer. This method would be used if we&#8217;re able to get admin/SYSTEM rights on the server with rights to pull the GMSA password, but the GMSA is not running under the context of a service (so running Mimikatz doesn&#8217;t help since the GMSA creds aren&#8217;t in memory). </p> <p>Here I use PSEXEC to spawn a command shell running under the context of the local SYSTEM account. Once running as SYSTEM, we can perform the same action as shown above. The computer account has the right to pull the password, but not a user on that computer, so I elevate to SYSTEM which then interacts with AD as the associated AD computer account. Now I can get the GMSA password.</p> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="405" src="https://adsecurity.org/wp-content/uploads/2020/05/image-54-1024x405.png" alt="" class="wp-image-4390" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-54-1024x405.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-54-300x119.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-54-768x304.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-54-1536x608.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-54.png 1890w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Next step I perform in the lab is to to confirm that the NT password hash that DSInternals provides matches that in Active Directory.<br>I use the <a href="https://www.dsinternals.com/">DSInternals </a>command Get-ADReplAccount to get the AD password hash and can confirm that the password hash pulled from the GMSA is the same as that gathered from AD.</p> <figure class="wp-block-image alignfull size-large"><img loading="lazy" decoding="async" width="1024" height="343" src="https://adsecurity.org/wp-content/uploads/2020/05/image-55-1024x343.png" alt="" class="wp-image-4391" srcset="https://adsecurity.org/wp-content/uploads/2020/05/image-55-1024x343.png 1024w, https://adsecurity.org/wp-content/uploads/2020/05/image-55-300x101.png 300w, https://adsecurity.org/wp-content/uploads/2020/05/image-55-768x258.png 768w, https://adsecurity.org/wp-content/uploads/2020/05/image-55-1536x515.png 1536w, https://adsecurity.org/wp-content/uploads/2020/05/image-55.png 1914w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p><br><strong>Mitigation</strong></p> <ul><li>Determine rights actually required and ensure the only the required, limited rights apply to the GMSA.</li><li>Don&#8217;t add to AD privileged groups unless the servers the GMSAs are used on are limited to Tier 0 (Domain Controllers). </li><li>Limit GMSA access &amp; location (especially if privileged). <br></li></ul> <p><strong>Thank You!</strong><br>Huge shout-out to <a href="https://twitter.com/MGrafnetter">Michael Grafnetter</a> at DSInternals for hist <a href="https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/">blogpost </a>that provided the information I needed to walk through this process.<br>Also to <a href="https://twitter.com/gentilkiwi">Benjamin Delpy</a> for helping me test a recent version of Mimikatz against the LSASS data containing GMSA credentials.</p> <div class="tptn_counter" id="tptn_counter_4367">(Visited 58,021 times, 4 visits today)</div> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1444" href="https://adsecurity.org/?tag=clear-text-password">clear-text password</a>, <a class="term term-tagpost_tag term-1446" href="https://adsecurity.org/?tag=computer-account">Computer Account</a>, <a class="term term-tagpost_tag term-1442" href="https://adsecurity.org/?tag=convertto-nthash">ConvertTo-NTHash</a>, <a class="term term-tagpost_tag term-602" href="https://adsecurity.org/?tag=dsinternals">DSInternals</a>, <a class="term term-tagpost_tag term-1448" href="https://adsecurity.org/?tag=get-adreplaccount">Get-ADReplAccount</a>, <a class="term term-tagpost_tag term-1432" href="https://adsecurity.org/?tag=get-adserviceaccount">Get-ADServiceAccount</a>, <a class="term term-tagpost_tag term-1430" href="https://adsecurity.org/?tag=gmsa">GMSA</a>, <a class="term term-tagpost_tag term-1431" href="https://adsecurity.org/?tag=gmsa-password">GMSA password</a>, <a class="term term-tagpost_tag term-1438" href="https://adsecurity.org/?tag=gmsa-password-hash">GMSA password hash</a>, <a class="term term-tagpost_tag term-1436" href="https://adsecurity.org/?tag=gmsa-spn">GMSA SPN</a>, <a class="term term-tagpost_tag term-1429" href="https://adsecurity.org/?tag=group-managed-service-accounts">Group Managed Service Accounts</a>, <a class="term term-tagpost_tag term-81" href="https://adsecurity.org/?tag=kerberos">Kerberos</a>, <a class="term term-tagpost_tag term-1435" href="https://adsecurity.org/?tag=kerberos-spn">Kerberos SPN</a>, <a class="term term-tagpost_tag term-71" href="https://adsecurity.org/?tag=lsass">LSASS</a>, <a class="term term-tagpost_tag term-207" href="https://adsecurity.org/?tag=mimikatz">mimikatz</a>, <a class="term term-tagpost_tag term-1449" href="https://adsecurity.org/?tag=msds-groupmanagedserviceaccount">msDS-GroupManagedServiceAccount</a>, <a class="term term-tagpost_tag term-1451" href="https://adsecurity.org/?tag=msds-groupmsamembership">msDS-GroupMSAMembership</a>, <a class="term term-tagpost_tag term-1443" href="https://adsecurity.org/?tag=msds-managedpassword">msds-ManagedPassword</a>, <a class="term term-tagpost_tag term-1452" href="https://adsecurity.org/?tag=msds-managedpasswordid">msDS-ManagedPasswordId</a>, <a class="term term-tagpost_tag term-1450" href="https://adsecurity.org/?tag=msds-managedpasswordinterval">msDS-ManagedPasswordInterval</a>, <a class="term term-tagpost_tag term-1440" href="https://adsecurity.org/?tag=msds-managepasswordinterval">msDS-ManagePasswordInterval</a>, <a class="term term-tagpost_tag term-1439" href="https://adsecurity.org/?tag=principalsallowedtoretrivemanagedpassword">PrincipalsAllowedToRetriveManagedPassword</a>, <a class="term term-tagpost_tag term-1447" href="https://adsecurity.org/?tag=psexec">PSEXEC</a>, <a class="term term-tagpost_tag term-1434" href="https://adsecurity.org/?tag=sekurlsaekeys">Sekurlsa::ekeys</a>, <a class="term term-tagpost_tag term-776" href="https://adsecurity.org/?tag=sekurlsalogonpasswords">sekurlsa::logonpasswords</a>, <a class="term term-tagpost_tag term-1137" href="https://adsecurity.org/?tag=service-principal-name">service principal name</a>, <a class="term term-tagpost_tag term-1441" href="https://adsecurity.org/?tag=serviceprincipalnames">ServicePrincipalNames</a>, <a class="term term-tagpost_tag term-294" href="https://adsecurity.org/?tag=spn">SPN</a>, <a class="term term-tagpost_tag term-1445" href="https://adsecurity.org/?tag=system">SYSTEM</a>, <a class="term term-tagpost_tag term-1433" href="https://adsecurity.org/?tag=_sa_">_SA_</a></span></li> <li class="addthis col-sm-8"><div class="add-this"></div></li> </ul> </div> </div> <div class="entry-author"> <div class="row"> <div class="author-avatar col-sm-3"> <a href="https://adsecurity.org/?author=2" rel="author"> <img alt='' src='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=200&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=400&#038;d=mm&#038;r=g 2x' class='avatar avatar-200 photo' height='200' width='200' loading='lazy' decoding='async'/> </a> </div> <div class="author-bio col-sm-9"> <h3 class="section-title-sm">Sean Metcalf</h3> <p>I improve security for enterprises around the world working for TrimarcSecurity.com<br /> Read the About page (top left) for information about me. :)<br /> https://adsecurity.org/?page_id=8</p> <ul class="author-social"> <li><a href="mailto:sean@adsecurity.org"><i class="fa fa-envelope-o"></i></a></li> </ul> </div> </div> </div> </div><!-- #content-main --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright 漏 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; </script> <script type="text/javascript" src="https://www.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"4367","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"46348565"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10