Microsoft’s group Managed Service Accounts (gMSA) enable services to run under a secured identity on Active Directory-integrated systems. These special kind of accounts have complex passwords that are frequently changed automatically. The password is stored in Active Directory and authorized computer accounts are granted access to retrieve the password on behalf of services they run.
Attackers may try to compromise gMSA passwords as they often provide access to resources, like databases, that are ultimately the attacker’s objective.
Stealthbits provides a variety of ways to detect unauthorized attempts to access Group Managed Service Account passwords.
Detect gMSA Exploitation
Detection of unauthorized attempts to retrieve Group Managed Service Account passwords is possible by monitoring permission changes, as well as LDAP and other Read activities against the gMSA password attribute in Active Directory.
APPROACH #1
Suspicious gMSA Permissions Assignment
DESCRIPTION
Monitor for attempts to grant permissions to read gMSA passwords to users that are not computer accounts.