New Check: Timeroasting (Inactive Managed Service Accounts)

brandon.west · April 10, 2025, 11:36am

What is a one sentence summary of your feature request?

Uncover Inactive Managed Service Accounts (MSA) that could be suseptible to timeroasting

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

PingCastle already covers Timeroasting indirectly via the Inactive Computers and Inactive Trusts rules however Managed Service Accounts (MSAs) are not covered.

Add a new rule to check for Inactive Managed Service Accounts and update the text and links in the Inactive Computers and Inactive Trusts rules to reference timeroasting.

How do you currently solve the challenges you have by not having this feature?

Use PowerShell or other tooling.

joe.dibley · April 15, 2025, 4:47pm

Thanks for the idea Brandon. Inactive Managed Service Accounts totally makes sense to check not only for Timeroasting risks but also general Active Directory health.

Topic		Replies	Views
Service Account Monitoring Tab, Ideas threat-manager , new , ideas	0	9	April 14, 2025
New Check: Uncover Hidden Objects Ideas planned , ideas	1	15	April 15, 2025
New Checks: Active Directory Certificate Services ESC1-15 Ideas in-progress , ideas	1	25	April 15, 2025
Active Directory Certificate Services Monitoring & Blocking Ideas threat-prevention , under-review , ideas	1	20	April 16, 2025
gMSA (Group Managed Service Account) support for the tools installed with Netwrix Auditor Ideas auditor , under-review , tools , gmsa	1	57	April 15, 2025

New Check: Timeroasting (Inactive Managed Service Accounts)

What is a one sentence summary of your feature request?

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

How do you currently solve the challenges you have by not having this feature?

Related topics