pingcastle
pingcastle copied to clipboard
Rule S-ADRegistration wont trigger if the "ms-DS-MachineAccountQuota" is not set, but adding computers is possible.
If the ms-DS-MachineAccountQuota in the Active Directory is "not set" it is possible to add computers to the domain if the SeMachineAccountPrivilege is set to "Authenticated Users".
However the PingCastle rule S-ADRegistration will not detect the issue.
The following lab setup was used to confirm the behaviour:
- PingCastle version 3.1.0.1
- ms-DS-MachineAccountQuota: "not set"
- SeMachineAccountPrivilege: Authenticated Users
PingCastle did not trigger the S-ADRegistration Rule, however adding a computer was possible (in this case using impacket):
$ impacket-addcomputer child.testlab.local/cclear:Welc0me2022! -dc-ip 10.0.1.100 -computer-name EVIL-COMPUTER$ -computer-pass password.123
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Successfully added machine account EVIL-COMPUTER$ with password password.123.
Computer created in AD:
It would be nice if PingCastle could also detect this special case to know if adding machine accounts as domain user is possible. Remediation will stay the same: set the ms-DS-MachineAccountQuota to 0.