Tools & techniques are shared for research of Service Account Passwords, in this informative series of SANS Internet Storm Center articles:

https://isc.sans.edu/forums/diary/Pillaging+Passwords+from+Service+Accounts/24886/

In our “pretend pentest” that we’ve been running these last few days, we’ve now got all the domain admins listed, all the service accounts found and listed, and the intersection of those two things – the service accounts that are either local admin or domain admin.

So what’s the obvious next step?  Let’s recover the passwords for those target service accounts!  Because once we have the full credentials, we have admin rights that no SEIM or systems admin will be tracking the use of – these accounts are almost universally ignored, since they login every time those services start (say during a system restart).  So if this is for instance a service account with domain or local admin rights that’s on every server and workstation, you are now “better than domain admin”.  You have all the rights, but no system controls are watching you!

Let’s get on with the job at hand. First of all, credentials for service accounts are stored in the local registry, as what’s called “LSA Secrets” in the registry key HKEY_LOCAL_MACHINE/Security/Policy/Secrets.  Because the service needs to read the actual password to login as the service account, that password is in the registry in clear-text.  Yup, you read that right – this is why service accounts are such a great target.  LSA Secrets are well protected however, you can’t just fire up regedt32 and read them – only the SYSTEM account has rights.  So you need … yes, some powershell!