rcgmsa

Remote command execution with a healthy dose of detachment.
Explore the docs »

Report Bug · Request Feature

Table of Contents

1. About The Project
   • Built With
2. Getting Started
   • Prerequisites
   • Installation
3. Usage
4. Roadmap
5. Contributing
6. License
7. Contact
8. Acknowledgments

About The Project

Running processes as an unprivileged user can be tidious to setup. More so if you have to worry about credentials that may be out of scope for the user in use. Toil no longer, this script aims to simplify the setup process and provide a standarized way to dynamically access sensitive bits by leveraging Keeper's secrets manager functionality.

(back to top)

Built With

• 

(back to top)

Getting Started

Keep in mind prerequisites only need to be done once per host. You don't need to setup anything on the remote host(s) other than access by the user you want to use. Vault configuration needs to be done per user, per host. Vault files are technically portable as long as the same user SID is being used. This is something to look into at some point.

Prerequisites

First things first get yourself a newer copy of Powershell since Microsoft refuses to provide you with one by default. If your fortunate enough to have winget installed that is the preferred method. Any Windows Server < 2022 will not be able to install winget due to unresolvable dependencies (trust me, I tried) and will need to use the alternative below.

• powershell

  winget install Powershell

  $version = "7.6.0"
  Start-BitsTransfer -Source "https://github.com/PowerShell/PowerShell/releases/download/v${version}/PowerShell-${version}-win-x64.msi" -Destination "$env:USERPROFILE\Downloads\powershell.msi"
  msiexec.exe /package powershell.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ADD_FILE_CONTEXT_MENU_RUNPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1 USE_MU=1 ENABLE_MU=1 ADD_PATH=1

Finally you'll need to grab yourself a copy of sysinternals. I hope to find a way to replace this with native functionality at some point but for now this is the simplest method to setup the user vault and Keeper connection as the GMSA user. The default filepath for user vaults is %LOCALAPPDATA%\Microsoft\PowerShell\secretmanagement.

Start-BitsTransfer -Source https://download.sysinternals.com/files/SysinternalsSuite.zip -Destination "$env:USERPROFILE\Downloads\SysinternalsSuite.zip"
Expand-Archive -Path "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" -DestinationPath "$env:USERPROFILE\Downloads\Sysinternals"

Installation

1. Clone the repo

   git clone https://github.com/byteskeptical/rcgmsa.git

2. Run vault setup script (requires Powershell 6.0+) as the user you plan on using

   # opens a new powershell window, run the rest of the provided commands there
   $env:USERPROFILE\Downloads\Sysinternals\PsTools\PsExec.exe -p ~ -u domain\gMSAAccount$ pwsh.exe
   cd rcgmsa
   .\vault.ps1 -Path C:\temp\vault.xml -Vault devops
   
   # choose a password for vault when prompted
   PowerShell credential request
   Enter your credentials.
   Password for user devops: **************

3. Optionally copy the script to a required location for your use case

   cp rcgmsa.ps1 C:\{Your location}
   cd C:\{Your location}

4. Profit!

    .\rcgmsa.ps1 -Command script.ps1 -Computers 'windohs','gatesitches' -Domain GATESOFHELL -User bloatwarebillynaire$ -Keeper 7bn_cew-p2_alVUNmT09Tw -Vault devops

(back to top)

Usage

Run single command or script locally as the unprivileged or service user.

 .\rcgmsa.ps1 -Command 'Get-WinEvent -LogName PowerShellCore/Operational' -Computers 'localhost' -User bloatwarebillynaire$

Run command or script on all machines listed in the contents of the microslop_machines.txt file as a user on a different domain.

 .\rcgmsa.ps1 -Command script.ps1 -Computers (Get-Content microslop_machines.txt) -Domain BILLSBUGS -User bloatwarebillynaire$

Run command or script on multiple machines passing additional credentials from a Keeper vault.

 .\rcgmsa.ps1 -Command script.ps1 -Computers 'gateskeepers','aibillonhill' -User bloatwarebillynaire$ -Keeper 7bn_cew-p2_alVUNmT09Tw -Vault developers

Run command or script on second hop jump host(s) (ip, fqdn, hostname) across multiple machines. Requires delegation to be enabled on domain along with GMSA user access to jump host(s).

 .\rcgmsa.ps1 -Command script.ps1 -Computers 'copilies','recallsins' -User bloatwarebillynaire$ -Orbs 'lilaintjames','microsoftness'

Putting it all together.

 .\rcgmsa.ps1 -Command important.ps1 -Computers (Get-Content app_servers.txt) -Domain GATESOFHELL -User bloatwarebillynaire$ -Keeper 7bn_cew-p2_alVUNmT09Tw -Orbs (Get-Content db_servers.txt) -Vault admins

Print current version.

 .\rcgmsa.ps1 -v

Anywhere powershell is accepted and a few places it's not

(back to top)

Roadmap

• Handle GMSA authentication
• Handle multiple machines at once
• Handle second hop authentication
• Keeper remote record access
  • Keeper remote files field access
  • Portable vault files

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

(back to top)

Top contributors:

License

Distributed under the project_license. See LICENSE for more information.

(back to top)

Contact

byteskeptical - @byteskeptical - bug@byteskeptical.com

Project Link: https://github.com/byteskeptical/rcgmsa

(back to top)

Acknowledgments

• @byteskeptical

(back to top)