Group Managed Service Account (gMSA) Exploitation

How to detect unauthorized gMSA password access

Microsoft’s group Managed Service Accounts (gMSA) enable services to run under a secured identity on Active Directory-integrated systems. These special kind of accounts have complex passwords that are frequently changed automatically. The password is stored in Active Directory and authorized computer accounts are granted access to retrieve the password on behalf of services they run.

Attackers may try to compromise gMSA passwords as they often provide access to resources, like databases, that are ultimately the attacker’s objective.

    Request A Free Trial


    Stealthbits’ gMSA Exploitation Solution

    Stealthbits provides a variety of ways to detect unauthorized attempts to access Group Managed Service Account passwords.

    Detect gMSA Exploitation

    Detection of unauthorized attempts to retrieve Group Managed Service Account passwords is possible by monitoring permission changes, as well as LDAP and other Read activities against the gMSA password attribute in Active Directory.

    APPROACH #1

    Suspicious gMSA Permissions Assignment

    DESCRIPTION

    Monitor for attempts to grant permissions to read gMSA passwords to users that are not computer accounts.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Password Access

    DESCRIPTION

    Monitor for attempts to access gMSA passwords by users that are not computer accounts.

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Prevent gMSA Exploitation

    Prevention of unauthorized attempts to retrieve Group Managed Service Account passwords is possible by blocking permission changes.

    APPROACH

    Block gMSA Permissions Changes

    DESCRIPTION

    Once permissions on a gMSA have been configured, block changes occurring outside of change control procedures.

    PRODUCT: StealthINTERCEPT

    Seeing is believing.

    RESOURCES

    © 2022 Stealthbits Technologies, Inc.