feat: add gMSA detection hint for LSA secrets (F1)

r0BIT · r0BIT · commit d695f81b7a56 · 2025-11-27T20:29:04.000+01:00
When a task runs as a gMSA account (username ends with $), display hint:
'gMSA credentials are stored in LSA secrets, not DPAPI. Consider LSA dump if you have SYSTEM access.'

- Added _check_gmsa_account() helper to detect gMSA accounts
- Skips well-known system accounts (NT AUTHORITY, LOCAL SERVICE, etc.)
- Added 5 unit tests for gMSA detection logic
diff --git a/taskhound/output/printer.py b/taskhound/output/printer.py
@@ -114,6 +114,54 @@ def format_trigger_info(meta: Dict[str, str]) -> Optional[str]:
     return " ".join(trigger_parts) if len(trigger_parts) > 1 else trigger_type
 
 
+def _check_gmsa_account(display_runas: str, resolved_username: Optional[str] = None) -> Optional[str]:
+    """
+    Check if the runas account is a gMSA (Group Managed Service Account).
+    
+    gMSA accounts:
+    - End with '$' character
+    - Are NOT machine/computer accounts (typically match computer name)
+    - Are NOT well-known system accounts (NT AUTHORITY, etc.)
+    
+    Args:
+        display_runas: The display string for the runas account
+        resolved_username: The resolved username (if SID was resolved)
+    
+    Returns:
+        Hint message if gMSA detected, None otherwise
+    """
+    # Get the username to check - prefer resolved, fall back to display
+    username = resolved_username or display_runas
+    if not username:
+        return None
+    
+    # Extract just the username part (remove domain prefix)
+    if "\\" in username:
+        username = username.split("\\")[-1]
+    elif "@" in username:
+        username = username.split("@")[0]
+    
+    # Check if it ends with $ (service or machine account)
+    if not username.endswith("$"):
+        return None
+    
+    # Skip well-known system accounts
+    well_known_skip = {
+        "system", "local service", "network service", 
+        "nt authority", "nt service", "iis apppool"
+    }
+    username_lower = username.lower()
+    display_lower = display_runas.lower()
+    
+    for skip in well_known_skip:
+        if skip in display_lower:
+            return None
+    
+    # At this point we have an account ending with $
+    # This is likely a gMSA - machine accounts are less common for scheduled tasks
+    return "gMSA credentials are stored in LSA secrets, not DPAPI. Consider LSA dump if you have SYSTEM access."
+
+
 def format_block(
     kind: str,
     rel_path: str,
@@ -358,6 +406,12 @@ def format_block(
     if decrypted_password:
         base.append(f"        Decrypted Password : {decrypted_password}")
 
+    # Check if this is a gMSA account and add hint about LSA secrets
+    # gMSA accounts end with $ but are not machine accounts (COMPUTERNAME$) or well-known system accounts
+    gmsa_hint = _check_gmsa_account(display_runas, resolved_username)
+    if gmsa_hint:
+        base.append(f"        gMSA Hint : {gmsa_hint}")
+
     if kind in ["TIER-0", "PRIV"]:
         if extra_reason:
             base.append(f"        Reason  : {extra_reason}")
diff --git a/tests/test_printer.py b/tests/test_printer.py
@@ -772,4 +772,97 @@ def test_format_block_no_trigger(self, mock_resolve):
         )
 
         text = "\n".join(lines)
-        assert "Trigger :" not in text
+        assert "Trigger :" not in text
+
+
+class TestGMSADetection:
+    """Test gMSA account detection and hint display."""
+
+    @patch("taskhound.output.printer.format_runas_with_sid_resolution")
+    def test_gmsa_hint_shown_for_gmsa_account(self, mock_resolve):
+        """Test that gMSA hint is shown for accounts ending with $."""
+        mock_resolve.return_value = ("DOMAIN\\gMSAService$", "gMSAService$")
+
+        lines = format_block(
+            kind="TASK",
+            rel_path="Tasks\\gMSATask",
+            runas="DOMAIN\\gMSAService$",
+            what="service.exe",
+            author="Admin",
+            date="2023-01-01",
+        )
+
+        text = "\n".join(lines)
+        assert "gMSA Hint" in text
+        assert "LSA secrets" in text
+        assert "not DPAPI" in text
+
+    @patch("taskhound.output.printer.format_runas_with_sid_resolution")
+    def test_gmsa_hint_not_shown_for_regular_account(self, mock_resolve):
+        """Test that gMSA hint is NOT shown for regular accounts."""
+        mock_resolve.return_value = ("DOMAIN\\RegularUser", "RegularUser")
+
+        lines = format_block(
+            kind="TASK",
+            rel_path="Tasks\\RegularTask",
+            runas="DOMAIN\\RegularUser",
+            what="cmd.exe",
+            author="Admin",
+            date="2023-01-01",
+        )
+
+        text = "\n".join(lines)
+        assert "gMSA Hint" not in text
+
+    @patch("taskhound.output.printer.format_runas_with_sid_resolution")
+    def test_gmsa_hint_not_shown_for_system_account(self, mock_resolve):
+        """Test that gMSA hint is NOT shown for NT AUTHORITY\\SYSTEM."""
+        mock_resolve.return_value = ("NT AUTHORITY\\SYSTEM", "SYSTEM")
+
+        lines = format_block(
+            kind="TASK",
+            rel_path="Tasks\\SystemTask",
+            runas="NT AUTHORITY\\SYSTEM",
+            what="system.exe",
+            author="Admin",
+            date="2023-01-01",
+        )
+
+        text = "\n".join(lines)
+        assert "gMSA Hint" not in text
+
+    @patch("taskhound.output.printer.format_runas_with_sid_resolution")
+    def test_gmsa_hint_not_shown_for_local_service(self, mock_resolve):
+        """Test that gMSA hint is NOT shown for NT AUTHORITY\\LOCAL SERVICE."""
+        mock_resolve.return_value = ("NT AUTHORITY\\LOCAL SERVICE", "LOCAL SERVICE")
+
+        lines = format_block(
+            kind="TASK",
+            rel_path="Tasks\\LocalServiceTask",
+            runas="NT AUTHORITY\\LOCAL SERVICE",
+            what="service.exe",
+            author="Admin",
+            date="2023-01-01",
+        )
+
+        text = "\n".join(lines)
+        assert "gMSA Hint" not in text
+
+    @patch("taskhound.output.printer.format_runas_with_sid_resolution")
+    def test_gmsa_hint_shown_with_resolved_username(self, mock_resolve):
+        """Test that gMSA hint works when username is resolved from SID."""
+        mock_resolve.return_value = ("DOMAIN\\SQLService$", "SQLService$")
+
+        lines = format_block(
+            kind="TASK",
+            rel_path="Tasks\\SQLTask",
+            runas="S-1-5-21-1234567890-1234567890-1234567890-1234",
+            what="sqlserver.exe",
+            author="Admin",
+            date="2023-01-01",
+            resolved_runas="DOMAIN\\SQLService$",
+        )
+
+        text = "\n".join(lines)
+        assert "gMSA Hint" in text
+        assert "LSA secrets" in text
