Proposed New Edge: DumpSMSAPassword

Question

Proposed New Edge: DumpSMSAPassword

simondotsh opened this issue 2 years ago · comments

Context

A principal with administrative privileges on a computer with a Standalone Manged Service Account (sMSA) installed on it can retrieve the sMSA's password by dumping LSA secrets. This is not a new technique, but I documented here how BloodHound could map this in the same fashion as ReadGMSAPassword.

Proposed New Edge

Name: DumpSMSAPassword.
Relationship Creation: Enumerate sMSA with objectClass=msDS-ManagedServiceAccount. Create a relationship starting from the computer object matching the distinguished name stated in the sMSA attribute msDS-HostServiceAccountBL and link it to the sMSA.

Contributing

If this edge is wanted, and the proposed way to implement it suits you, I can contribute the required changes, but will be waiting for the green light before doing so.

Jonas Bülow Knudsen · Answer 1 · Tue Dec 13 2022 22:10:11 GMT+0800 (China Standard Time)

Excellent work, @simondotsh. Thanks a lot for sharing your research!
We definitely want that edge in BH, and it would be much appreciated if you would make pull requests for the feature.

simondotsh · Answer 2 · Wed Dec 21 2022 04:56:35 GMT+0800 (China Standard Time)

Hey @JonasBK,

I've modified the required projects to introduce the edge.

Jonas Bülow Knudsen · Answer 3 · Wed Dec 21 2022 20:58:05 GMT+0800 (China Standard Time)

Awesome! We will review it and keep you updated.
Thank you so much for this great contribution!

Jonas Bülow Knudsen · Answer 4 · Tue Jan 17 2023 00:36:48 GMT+0800 (China Standard Time)

Hey @simondotsh,
Do you know what privileges in AD it takes to install an sMSA? And what happens if it is already installed on another host?
I'm considering if it is possible for one to have a certain privilege on the sMSA object that allows one to install the sMSA on a host to compromise the sMSA that way.

simondotsh · Answer 5 · Tue Jan 17 2023 12:34:55 GMT+0800 (China Standard Time)

Hi @JonasBK,

MS has documented the privileges required to delegate full access over sMSAs here. To install a fresh sMSA from an elevated prompt on a host, I only needed the Reset password and Write account restrictions privileges on the sMSA object in my lab.

After basic tests, I couldn't overwrite an already-installed sMSA, so it looks like you'd need to uninstall it from the host first using the same object privileges and local admin.

Jonas Bülow Knudsen · Answer 6 · Tue Jan 17 2023 15:34:40 GMT+0800 (China Standard Time)

Gotcha. Thanks for the explanation and testing!

Jonas Bülow Knudsen · Answer 7 · Thu Mar 30 2023 02:08:18 GMT+0800 (China Standard Time)

Hey @simondotsh,

There are two minor things we want to change.
We would want the SMSA array to be renamed DumpSMSAPassword, so it is named the same as the edge. And then, we want to change it from a string array to a TypedPrincipal array.

Would you be interested in making these changes?

Completely understandable if you are not interested in rewriting your well-working PRs. We will make the changes in that case but will still credit you when releasing the next BloodHound version.

simondotsh · Answer 8 · Thu Mar 30 2023 12:24:11 GMT+0800 (China Standard Time)

Hi @JonasBK,

I've pushed the required changes to the three pull requests; let me know if this does the job.

Jonas Bülow Knudsen · Answer 9 · Thu Mar 30 2023 22:40:40 GMT+0800 (China Standard Time)

Awesome, @simondotsh!

It looks good :)

There are two minor things for BloodHound as well.

I just noticed your comment here: #626 (comment)
It is a good point. It would be great to have a check like that.
This line here is missing. It enables intellisense.

simondotsh · Answer 10 · Fri Mar 31 2023 07:17:49 GMT+0800 (China Standard Time)

Hey @JonasBK,

Done!

Jonas Bülow Knudsen · Answer 11 · Wed May 24 2023 12:40:00 GMT+0800 (China Standard Time)

Closing - Implemented in 4.3.1 🥳