This note documents detection patterns related to GMSA Password Extraction within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4662 | Operation performed on object | Critical | Reading the msDS-ManagedPassword attribute indicates possible gMSA password retrieval. |
| Security | 4624 | Successful logon | High | Attacker may authenticate using extracted gMSA credentials. |
| Security | 4672 | Special privileges assigned | High | Privileged session may occur if gMSA account has elevated rights. |
| Security | 4769 | Kerberos service ticket request | High | Service ticket activity for gMSA accounts. |
| Sysmon | 1 | Process creation | Medium | Execution of tools extracting gMSA passwords. |
| Sysmon | 3 | Network connection | Medium | LDAP queries retrieving password attributes. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| LDAP reads of msDS-ManagedPassword | Account querying gMSA password attribute | Critical | Primary artifact of gMSA password extraction. |
| Multiple gMSA password queries | Rapid enumeration of gMSA accounts | High | Attacker gathering credentials. |
| Authentication using service accounts | Service account used interactively | High | Suspicious use of normally non-interactive account. |
| LDAP queries from unusual host | Directory queries from non-admin workstation | High | Potential attacker system. |
| Access to multiple servers | Authentication attempts across many hosts | High | Possible lateral movement using service credentials. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Enumerates and retrieves gMSA password data. |
| gMSADumper | Extracts gMSA passwords from Active Directory. |
| Impacket | Uses extracted credentials for remote execution. |
| CrackMapExec | Automates lateral movement using service account credentials. |
| LDAP tools | Direct attribute queries retrieving password data. |
Relevant Artifacts
- Domain controller Security logs (4662)
- LDAP query logs
- Active Directory object metadata
- Sysmon logs (1, 3)
- EDR telemetry identifying credential enumeration tools
- Kerberos authentication logs
- Prefetch artifacts showing execution of gMSADumper or PowerView
- Remote execution logs
MITRE ATT&CK References
- T1003 Credential Dumping
- T1552 Unsecured Credentials
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify object access events (4662) reading
msDS-ManagedPassword.
- Identify object access events (4662) reading
- What host generated the event?
- Determine workstation performing LDAP query.
- Is the account expected to perform this action?
- Investigate whether account normally retrieves gMSA credentials.
- Pivot:
- Source host → inspect execution of PowerView or gMSADumper.
- Target systems → check authentication logs for gMSA usage.
- Network → analyze Kerberos service ticket requests.
- Confirm exploitation
- Determine whether attacker extracted gMSA password and used it for authentication.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4662
| where ObjectName contains "msDS-ManagedPassword"
SecurityEvent
| where EventID == 4769
| summarize count() by TargetUserName, ServiceName, bin(TimeGenerated, 5m)
EQL
any where event.code == "4662"
Sigma
title: Suspicious gMSA Password Access
id: gmsa-password-extraction-detection
status: experimental
description: Detects LDAP reads of gMSA password attribute
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectName|contains: msDS-ManagedPassword
condition: selection
fields:
- SubjectUserName
- ObjectName
falsepositives:
- Legitimate servers retrieving gMSA passwords
level: high
tags:
- attack.credential_access
- attack.t1003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Restrict which hosts can retrieve gMSA passwords | Critical | Prevents unauthorized retrieval. |
| Monitoring | Alert on reads of msDS-ManagedPassword attribute | Critical | Primary detection strategy. |
| Least privilege | Limit service account permissions | High | Reduces privilege escalation opportunities. |
| Network monitoring | Monitor service account authentication patterns | High | Detects abnormal activity. |
| Credential rotation | Ensure gMSA automatic password rotation functioning | Medium | Limits usefulness of stolen credentials. |