search

BloodHoundAD / BloodHound

Six Degrees of Domain Admin
GNU General Public License v3.0
9.62k stars 1.7k forks source link

Proposed New Edge: DumpSMSAPassword #624

Closed simondotsh closed 1 year ago

simondotsh commented 1 year ago

Context

A principal with administrative privileges on a computer with a Standalone Manged Service Account (sMSA) installed on it can retrieve the sMSA's password by dumping LSA secrets. This is not a new technique, but I documented here how BloodHound could map this in the same fashion as ReadGMSAPassword.

Proposed New Edge

Name: DumpSMSAPassword. Relationship Creation: Enumerate sMSA with objectClass=msDS-ManagedServiceAccount. Create a relationship starting from the computer object matching the distinguished name stated in the sMSA attribute msDS-HostServiceAccountBL and link it to the sMSA.

Contributing

If this edge is wanted, and the proposed way to implement it suits you, I can contribute the required changes, but will be waiting for the green light before doing so.

JonasBK commented 1 year ago

Excellent work, @simondotsh. Thanks a lot for sharing your research! We definitely want that edge in BH, and it would be much appreciated if you would make pull requests for the feature.

simondotsh commented 1 year ago

Hey @JonasBK,

I've modified the required projects to introduce the edge.

JonasBK commented 1 year ago

Awesome! We will review it and keep you updated. Thank you so much for this great contribution!

JonasBK commented 1 year ago

Hey @simondotsh, Do you know what privileges in AD it takes to install an sMSA? And what happens if it is already installed on another host? I'm considering if it is possible for one to have a certain privilege on the sMSA object that allows one to install the sMSA on a host to compromise the sMSA that way.

simondotsh commented 1 year ago

Hi @JonasBK,

MS has documented the privileges required to delegate full access over sMSAs here. To install a fresh sMSA from an elevated prompt on a host, I only needed the Reset password and Write account restrictions privileges on the sMSA object in my lab.

After basic tests, I couldn't overwrite an already-installed sMSA, so it looks like you'd need to uninstall it from the host first using the same object privileges and local admin.

JonasBK commented 1 year ago

Gotcha. Thanks for the explanation and testing!

JonasBK commented 1 year ago

Hey @simondotsh,

There are two minor things we want to change. We would want the SMSA array to be renamed DumpSMSAPassword, so it is named the same as the edge. And then, we want to change it from a string array to a TypedPrincipal array. image

Would you be interested in making these changes?

Completely understandable if you are not interested in rewriting your well-working PRs. We will make the changes in that case but will still credit you when releasing the next BloodHound version.

simondotsh commented 1 year ago

Hi @JonasBK,

I've pushed the required changes to the three pull requests; let me know if this does the job.

JonasBK commented 1 year ago

Awesome, @simondotsh!

It looks good :)

There are two minor things for BloodHound as well.

  1. I just noticed your comment here: https://github.com/BloodHoundAD/BloodHound/pull/626#issuecomment-1363408958 It is a good point. It would be great to have a check like that.

  2. This line here is missing. It enables intellisense. image

simondotsh commented 1 year ago

Hey @JonasBK,

Done!

JonasBK commented 1 year ago

Closing - Implemented in 4.3.1 🥳