H3-2024-0057¶

Active Directory gMSA Account Password Exposure

Description¶

A regular domain account was found to have access in Active Directory to the NTLM hashes of Group Managed Service Account (gMSA) users.

Impact¶

An attacker can 'pass-the-hash' to access services and hosts connected to the domain as the gMSA account. This could enable an attacker to move laterally or escalate privileges in the environment.

References¶

• Secure group managed service accounts
• Securing Your Group Managed Service Accounts
• MITRE ATT&CK Technique: T1552: Unsecured Credentials