P-ServiceDomainAdmin does not check the correct configuration

[jake73345634634]

The issue P-ServiceDomainAdmin currently only checks if any members of the Domain Admins group have a password set more than 30 days ago from what I can see in the code.

Two issues:

• The finding description mentions password never expires, not set more than 30 days ago:

The purpose is to check for accounts with non-expiring passwords in the "Domain Administrator" group.

• The finding is checking something completely different than what it should be checking for. Ping Castle assumes domain admins with never expiring passwords are automatically used as service accounts:

PingCastle is checking accounts with never expiring password, that are mostly used as service accounts.

The actual configuration that this issue should be checking for is:

• Member of Domain Admins &&
• Has an SPN set

[JoeDibley]

I totally agree. I will investigate this on Monday morning and get back to you as I am fairly sure that this used to check service principal name at some point.

Thanks for reporting this!

[jake73345634634]

Thanks Joe. I will also say, there is an issue "P-Kerberoasting" which by its description appears to do what "P-ServiceDomainAdmin" is trying to do anyway?

However, for some reason, P-Kerberoasting did not alert in my test environment where P-ServiceDomainAdmin did - this might be due to the false positives brought back by P-ServiceDomainAdmin and there weren't in fact any domain admins being used as a service account.

My conclusion to this is that:

• P-Kerberoasting is correct.
• P-ServiceDomainAdmin code doesn't need changing - but all of its "context" requires changing as this issue is actually "Domain admins password set more than 30 days ago".

Let me know if you require anything further to investigate this, or let me know what happens internally with this/these findings please, thank you.

[jake73345634634]

@JoeDibley Hi, is there any update on the above?