Golden dMSA: When Delegated Accounts Become Enterprise Backdoors

With the release of Windows Server 2025, Microsoft introduced Delegated Managed Service Accounts (dMSAs) – a more secure evolution of traditional service accounts designed to mitigate credential theft by binding authentication to machine identity, not static passwords.

However, Semperis researchers have disclosed a critical design flaw in the implementation of dMSAs that enables a new attack technique: Golden dMSA. This method allows adversaries with privileged domain access to bypass machine-bound authentication, extract or derive offline passwords for any dMSA or gMSA in the forest, and escalate privileges across domain boundaries.

Severity Level: Moderate

Threat Details

• Threat Name: Golden dMSA
• Targeted Technology: Active Directory (Windows Server 2025 dMSAs and gMSAs)
• Affected Components: Delegated Managed Service Accounts (dMSAs), Group MSAs (gMSAs), Key Distribution Services (KDS)
• This vulnerability fundamentally breaks the assumption that dMSAs are unforgeable and tamper-proof, presenting a forest-wide persistence and lateral movement threat.

Pre-Requisites For The Attack

• SYSTEM access on a single Domain Controller (DC)
• Ability to read the KDS root key
• Tools or scripts to iterate through possible ManagedPasswordId values

Attack Flow (Golden dMSA)

1. Extract KDS Root Key: From a DC using SYSTEM or Enterprise Admin privileges.
2. Enumerate dMSAs: Through SID translation or LDAP techniques.
3. Guess ManagedPasswordId: Only 1,024 possible time-based values.
4. Generate Passwords: Offline computation of AES256 or NTLM hashes.
5. Bypass Authentication: Use Kerberos or Overpass-the-Hash to authenticate as service accounts.

Detection: Indicators And Clues

Manual Configuration Needed: By default, no logs indicate KDS root key access. Admins must configure a System Access Control List (SACL) on the msKds-RootKeyData attribute.

Key Indicators:

1. Event ID 4662:

• Audit read access to the msKds-RootKeyData attribute.
• Watch for non-DC accounts accessing it.

2. Abnormal AS-REQ Patterns:

• High volume of AS-REQs for the same account ending with $.
• Followed by PREAUTH-FAILED (error code 24).

3. Abnormal TGT Requests:

• dMSA accounts being used by unexpected users.

4. Modified ACLs on KDS Root Keys

5. SID Enumeration Activity:

• Use of tools like lookupsid.py or LSA API abuse (LsaOpenPolicy, LsaLookupSids).

Recommendations

1. Limit SYSTEM and Domain Admin access strictly to a subset of vetted administrators.
2. Restrict access to Domain Controllers using network segmentation and role-based access.
3. Audit membership of Domain Admins, Enterprise Admins, and local SYSTEM permissions.
4. Rotate KDS root keys periodically and enforce strict change controls.
5. Use unique KDS root keys per domain instead of sharing across forests.
6. Avoid retaining legacy KDS root keys unnecessarily, as older keys are often still used by default.
7. Where dMSAs are not critical, migrate to more manageable alternatives.
8. Restrict dMSA visibility via ACLs; ensure only authorized accounts can enumerate or bind them.
9. Limit SMB access and RPC endpoints (\PIPE\lsarpc) to trusted systems.

Source:

• https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.