LSA Secrets, Service Account Password Extraction, NT/SYSTEM Privilege Account, gMSAs

In this article we talk about one of the most common vulnerability exist in modern  enterprise windows network infrastructure. We demonstrate how an attacker elevate privilege from administrator account to NT/ SYSTEM Authority privilege which is highest privilege in local windows system. The idea is to use NT authority system privilege to interact with LSA secrets and extract passwords from services account. Often these services accounts misconfigured in modern windows enterprise, which likely enable low privilege user to gain higher privileges.

Technical assumptions:

  • Attacker has an elevated privilege (Local Admin)
  • Attacker identified a service account AwesomeService.exe installed locally and runs under the local administrator privilege

 

Regedit Registry editor permission with SAM hive file requires NT/Authority SYSTEM Privilege, we  can not access the SAM File hive with windows local administrative permission.

SYSTEMPerm

Figure 1 SAM Hive set to full control permission

 

We Launch registry editor under the local administrative privilege – we are not able to read/write and modify SAM files.

4

Figure 2 Regedit under the windows administrator privilege account.

 

We elevate the local administrator privilege to NT/Authority SYSTEM privilege using the SysInternals PsExec Mark Russinovich copy of the PsExec Here   with the -i interactive, -s run remote process in the system account and -d  dot wait for process to terminate.

1

Figure 3 PsExec elevated privilege from local admin to NT/Authority SYSTEM

 

NT Authority\SYSTEM has access to SAM hive files

NT-Authority-Sam-file-5

Figure 4 Corroborates the SAM hive access via SYSTEM privilege

 

We not really interested in SAM/SYSTEM contents – We are after LSA Secrets and Service Account password extraction, however we need to create and compile a windows 10 compatible service and install it locally on our windows 10.

2

Figure 5 –  We created AwesomeService.exe with DisplayName “Windows Update” using SC Service Control to install and set the run time to auto start.

 

Display Name set as Windows Update

3

Figure 6 AwesomeService.exe runs as service under the local administrator privilege.

 

AwesomeService current value is in binary mode

currentValue

Figure 7  AwesomeService in binary value

 

lsasecret.exe /service AwesomeService command to dump clear text password from the registry.

AwesomeService-OpenSSHd

Figure 8   extracted openSSHd and AwesomeService accounts from registry.

Link to github lsasecre.exe the original source code from “Timothy D.Morgan”

 

Mitigation:

There are couple of solutions to mitigate against this particular vulnerability – the easiest and Microsoft recommended approach is the use of native windows feature,  Managed Service Account (MSA) and Group Managed Service Account (gMSA) .

Switch to your Server 2012 domain controller generate KDS root key for use with managed MSA and Group Managed Service Accounts (gMSA)   New-KdsRootKey Powershell cmdlet to initialize the key. The reason that we need to generate this once because this will be used in generating passwords for the Group Managed Service Accounts.

Add-KdsRootKey –EffectiveImmediately

Run this under the windows administrator Powershell console; The  -EffectiveImmeditely takes 10 hours from the time of creation to allow all domain controllers to replicate before allowing the creation of a gMSA. The idea behind 10 hours delay is a safety measure to prevent password generation from occurring before all domain controller are capable of responding to gMSA requests.

Perhaps yo may want to run this over the weekend over the night in production environment?

 

Service Account Creation

It’s straightforward to create gMSAs (Group Managed Service Account) Switch to the server you want to add service account, you need active directory Powershell module part of the RSAT for this to work.

New-ADServiceAccount -Name svc_Secure -DNSHostName cryptoambient.local -PrincipalsAllowedToRetriveManagedPassword  WIN-12-AV$

Command Breakdown :

-Name    service name of your choice

-DNSHostName   –  FQDN for our domain controller that holds KDS root key in my case ambientcrypto.local

PrincipalsAllowedToRetriveManagedPassword     –  This parameter allows you to specify the server(s) that you are going to be running particular (gMSA) on.

 

That’s it, simple and extremely reliable to manage service accounts. Good luck 🙂

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s