This lab is a sample lab of nearly 20 hands-on labs from the Defending the Enterprise Course.
For more information, see Defending the Enterprise on AntiSyphon Training
In this lab we will create a group managed service account that can be used to start services on computers that are a member of the associated group.
For additional information on GMSA's, see https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
- Step One - Create the required components.
- Step Two - Setup Domain for GMSA
- Step Three - Generate the GMSA
- Step Four - Using the GMSA
- Step Five - Confirming Success
- Lab Complete
We need to create a new group that will be used to manage and access the GMSA and use it for services.
First, lets open an administrative PowerShell session.
whoami
hostname
PS C:\Windows\system32> whoami
dteclass\dteadmin
PS C:\Windows\system32> hostname
DTE-DC1Here we will create a new OU called SecurityGroups, followed by a new OU called GMSAGroups within it. Then we will create a new group called sec_gmsa_SOXReportingService that will contain computer objects responsible for running SOXReportingService.
New-ADOrganizationalUnit -Name "SecurityGroups" -Path "DC=dteclass,DC=com"
New-ADOrganizationalUnit -Name "GMSAGroups" -Path "OU=SecurityGroups,DC=dteclass,DC=com"
New-ADGroup "sec_gmsa_SOXReportingService" -Path "OU=GMSAGroups,OU=SecurityGroups,DC=dteclass,dc=com" -GroupCategory Security -GroupScope DomainLocal -PassThru –Verbose
New-ADComputer -Name "svr_SOXReporter" -SamAccountName "svr_SOXReporter" -Path "OU=ComputerAccounts,DC=dteclass,DC=com"Next, lets add some computers to the new group whose members can use the GMSA.
ADD-ADGroupMember “sec_gmsa_SOXReportingService” –members “svr_SOXReporter$”
ADD-ADGroupMember “sec_gmsa_SOXReportingService” –members “dte-dc1$”
The domain needs an additional key used for managing GMSA passwords. Follow the next step to generate the key. Note that the KDS key cannot be used until after 10 hours it is generated, to allow for full replication across domain controllers. In a test environment, you can force the effective time to be ten hours prior, eliminating the time requirement.
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)) This will return the GUID created for the KDS key
PS C:\Windows\system32> Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
Guid
----
e68d36d9-fbf5-69a1-0cb2-797c1d25a446Next, lets create a new OU specifically for GMSAs.
New-ADOrganizationalUnit -Name "GMSAs" -Path "DC=dteclass,DC=com"Finally, lets create the GMSA.
New-ADServiceAccount -name gmsa_soxrep -PrincipalsAllowedToRetrieveManagedPassword sec_gmsa_SOXReportingService -path "OU=GMSAs,dc=dteclass,dc=com" -DNSHostName gmsa_soxrep$Our environment only has one computer system, the Domain Controller. Lets create a batch file and then schedule the batch file to be started by Scheduled Tasks using the GMSA account. When the scheduled task executes, the computer will procure the password for the account from Active Directory and use it to logon.
In this case the system accessing the password is also the domain controller, however any system that is a member of of the sec_gmsa_SOXReportingService group can use the GMSA account.
First, lets create our batch file. The batch file created here will simply report back into log.txt the user context and time the batch file was executed.
mkdir c:\DTE\GMSASOX
cd c:\DTE\GMSASOX
echo "" | Out-File log.txt -Encoding ASCII
"whoami >>c:\DTE\GMSASOX\log.txt" |Out-File gmsalog.bat -Encoding ASCII
"echo %time% >>c:\DTE\GMSASOX\log.txt" |Out-File gmsalog.bat -Append -Encoding ASCIIcd c:\DTE\GMSASOX
./gmsalog.bat
cat log.txtThis should produce a result similar to below:
PS C:\DTE\GMSASOX> cat .\log.txt
dteclass\dteadmin
12:46:22.29
This indicated that the batch file executed at 12:46:22 and the user executing the batch file was dteclass\dteadmin.
Next, lets setup permissions for the GMSA to use the batch script and the log file.
$acl = Get-Acl c:\DTE\GMSASOX
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("dteclass\gmsa_soxrep$","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl c:\DTE\GMSASOX
$acl | Set-Acl c:\DTE\GMSASOX\gmsalog.bat
$acl | Set-Acl c:\DTE\GMSASOX\log.txtNext, reboot to allow the GMSA authentication to be available.
Restart-ComputerNext, lets setup the Scheduled Task to use the new GMSA account.
$action = New-ScheduledTaskAction “c:\DTE\GMSASOX\gmsalog.bat”
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1)
$principal = New-ScheduledTaskPrincipal -UserID dteclass\gmsa_soxrep$ -LogonType Password
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Test SOX Reporter GMSA" -Description "Runs every minute" -Principal $principal
The scheduled task show start and begin logging in C:\DTE\GMSASOX\log.txt
Wait a few moments and then view the contents of the file.
cat c:\DTE\GMSASOX\log.txtHas the GMSA successfully authenticated, executed the batch script, and updated the file?
After reviewing the log.txt file, we can see that the GMSA account, gmsa_soxrep$ is authenticating, executing the batch script, and updating the log file.
PS C:\DTE\GMSASOX> cat .\log.txt
dteclass\dteadmin
12:46:22.29
dteclass\gmsa_soxrep$
12:46:28.19
dteclass\gmsa_soxrep$
12:47:07.96
dteclass\gmsa_soxrep$
12:48:07.98
dteclass\gmsa_soxrep$
12:49:07.99
dteclass\gmsa_soxrep$
12:50:08.01
dteclass\gmsa_soxrep$
12:51:08.02
dteclass\gmsa_soxrep$
12:52:08.02
Take a look at the Task Scheduler and Event Logs.
Note interesting EventIDs:
- EVENT ID 4624 - An account successfully logged on (NULL SID [SYSTEM] DTE-DC1$ Impersonation)
- EVENT ID 4768 - Kerberos Authentication Ticket Requested
- EVENT ID 4769 - Kerberos Service Ticket Requested
- EVENT ID 4648 - Logon was attemped usign explicit credentials (Note Subject and Account)
- EVENT ID 4624 - An account successfully logged on (Logon type 5, DTE-DC1$ Impersonation)
- EVENT ID 4672 - Special privileges assigned to new logon.
- Sysmon EVENT ID 1 - Process Creation
Copyright Defensive Origins 2022