Closed simondotsh closed 1 year ago
Excellent work, @simondotsh. Thanks a lot for sharing your research! We definitely want that edge in BH, and it would be much appreciated if you would make pull requests for the feature.
Hey @JonasBK,
I've modified the required projects to introduce the edge.
Awesome! We will review it and keep you updated. Thank you so much for this great contribution!
Hey @simondotsh, Do you know what privileges in AD it takes to install an sMSA? And what happens if it is already installed on another host? I'm considering if it is possible for one to have a certain privilege on the sMSA object that allows one to install the sMSA on a host to compromise the sMSA that way.
Hi @JonasBK,
MS has documented the privileges required to delegate full access over sMSAs here. To install a fresh sMSA from an elevated prompt on a host, I only needed the Reset password
and Write account restrictions
privileges on the sMSA object in my lab.
After basic tests, I couldn't overwrite an already-installed sMSA, so it looks like you'd need to uninstall it from the host first using the same object privileges and local admin.
Gotcha. Thanks for the explanation and testing!
Hey @simondotsh,
There are two minor things we want to change. We would want the SMSA array to be renamed DumpSMSAPassword, so it is named the same as the edge. And then, we want to change it from a string array to a TypedPrincipal array.
Would you be interested in making these changes?
Completely understandable if you are not interested in rewriting your well-working PRs. We will make the changes in that case but will still credit you when releasing the next BloodHound version.
Hi @JonasBK,
I've pushed the required changes to the three pull requests; let me know if this does the job.
Awesome, @simondotsh!
It looks good :)
There are two minor things for BloodHound as well.
I just noticed your comment here: https://github.com/BloodHoundAD/BloodHound/pull/626#issuecomment-1363408958 It is a good point. It would be great to have a check like that.
This line here is missing. It enables intellisense.
Hey @JonasBK,
Done!
Closing - Implemented in 4.3.1 🥳
Context
A principal with administrative privileges on a computer with a Standalone Manged Service Account (sMSA) installed on it can retrieve the sMSA's password by dumping LSA secrets. This is not a new technique, but I documented here how BloodHound could map this in the same fashion as
ReadGMSAPassword
.Proposed New Edge
Name: DumpSMSAPassword. Relationship Creation: Enumerate sMSA with
objectClass=msDS-ManagedServiceAccount
. Create a relationship starting from the computer object matching the distinguished name stated in the sMSA attributemsDS-HostServiceAccountBL
and link it to the sMSA.Contributing
If this edge is wanted, and the proposed way to implement it suits you, I can contribute the required changes, but will be waiting for the green light before doing so.