๐ Secure Bits ๐ก
Do you know ๐๐ต๐ ๐๐ฒ ๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฒ ๐น๐ผ๐ป๐ด ๐ฎ๐ป๐ฑ ๐ฐ๐ผ๐บ๐ฝ๐น๐ฒ๐
๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ for service accounts?
๐ Itโs not because theyโre harder to extract from Windows OS. In fact, ๐ฑ๐๐บ๐ฝ๐ถ๐ป๐ด ๐ฎ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ ๐๐ฎ๐ธ๐ฒ๐ ๐ท๐๐๐ ๐๐ฒ๐ฐ๐ผ๐ป๐ฑ๐.
The real reason? ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ฎ๐๐๐ถ๐ป๐ด. Attackers can request service tickets and brute-force the passwords offline. Iโll cover that in another post.
๐จ ๐๐๐ ๐ต๐ฒ๐ฟ๐ฒโ๐ ๐๐ต๐ฒ ๐ฟ๐ฒ๐ฎ๐น ๐ฑ๐ฎ๐ป๐ด๐ฒ๐ฟโฆ
If your service account is a Domain Admin, and a third-party vendor manages that application, youโre basically giving them Domain Admin rightsโanytime.
Hereโs how to dump service passwords:
1๏ธโฃ The service is running with SQLAdminSVC.
2๏ธโฃ That account is a Domain Admin (yes, I see this too often in audits).
3๏ธโฃ An attacker elevates to SYSTEMโwhich is easy and legitimate in Windows OS.
4๏ธโฃ The plaintext password is extracted in seconds.
๐๐ผ๐ ๐๐ผ ๐ฝ๐ฟ๐ฒ๐๐ฒ๐ป๐ ๐๐ต๐ถ๐?
โ If possible do not use Domain User accounts for services.
โ Use GMSA (Group Managed Service Accounts), VSA or carefully delegate.
โ Implement a Tiering Model to prevent privilege escalation.
Do you like this topic ? Check out my course๐
https://horizon-secured.com/courses/windows-infrastructure-security/
Are you tracking where your service accounts are running and what privileges they have?
