Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusAffiliatesJobsAbout us
Contact
Submit Ticket (Less than 1hour to answer)Whatsapp (Less than 24hours to answer)Telegram (Less than 24hours to answer)Report Abuse
HOMEDOMAINS
CONTACT
Login
Sign InCreate an Account
No Comments

Windows Server 2025 dMSA Flaw Enables Cross-Domain Lateral Movement

 

The Flaw

Cybersecurity researchers recently disclosed what they describe as a “critical design flaw” in delegated Managed Service Accounts (dMSAs), a feature Microsoft introduced in Windows Server 2025.

According to a report Semperis shared with The Hacker News, this flaw enables high-impact attacks by allowing cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely.

In other words, adversaries who exploit this flaw successfully can bypass Authentication Guardrails and generate passwords for all Delegated Managed Service Accounts (dMSAs), group Managed Service Accounts (gMSAs), and their associated service accounts.

Semperis has codenamed this persistence and privilege escalation method Golden dMSA. The company considers the technique to have low complexity, mainly because the vulnerability streamlines brute-force password generation.

However, before attackers can exploit this flaw, they must obtain a Key Distribution Service (KDS) root key, which is usually only accessible to privileged accounts such as root Domain Admins, Enterprise Admins, and SYSTEM.

Because it serves as a master key, the KDS root key—often referred to as the crown jewel of Microsoft’s gMSA infrastructure—lets attackers derive the current password for any dMSA or gMSA account without connecting to the domain controller.

Security researcher Adi Malyanker explained, “The attack leverages a critical design flaw: A structure that’s used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial.”

Microsoft Solution

Microsoft introduced Delegated Managed Service Accounts in Windows Server 2025 to support migration from legacy service accounts and to counter Kerberoasting attacks.

Additionally, these machine accounts bind authentication directly to explicitly authorized machines in Active Directory (AD), thereby eliminating the possibility of Credential Theft. By tying authentication to device identity, only specified machine identities mapped in AD can access the account.

Golden dMSA, similar to Golden gMSA attacks in Active Directory, unfolds in four steps once an attacker gains elevated privileges within a domain:

  • Elevating to SYSTEM privileges on a domain controller and extracting KDS root key material
  • Enumerating dMSA accounts using LsaOpenPolicy and LsaLookupSids APIs, or through an LDAP-based approach
  • Identifying the ManagedPasswordID attribute and password hashes through targeted guessing
  • Generating valid passwords (i.e., Kerberos tickets) for any gMSA or dMSA tied to the compromised key, and testing them via Pass-the-Hash or Overpass-the-Hash techniques

Malyanker emphasized, “This process requires no additional privileged access once the attacker obtains the KDS root key, making it a particularly dangerous persistence method.”

He further noted, “The attack highlights the critical trust boundary of managed service accounts. They rely on domain-level cryptographic keys for security. Even though automatic password rotation offers strong protection against typical credential attacks, Domain Admins, DnsAdmins, and Print Operators can bypass these protections completely and compromise all the dMSAs and gMSAs in the forest.”

Semperis warned that the Golden dMSA technique effectively transforms a single breach into a Forest-wide Persistent Backdoor. By compromising the KDS root key from one domain, an attacker can access every dMSA account across all domains in that forest.

Put another way, attackers can weaponize one KDS root key extraction to achieve cross-domain account compromise, Forest-wide Credential Harvesting, and lateral movement across domains using the Compromised dMSA accounts.

Malyanker added, “Even in environments with multiple KDS root keys, the system consistently uses the first (oldest) KDS root key for compatibility reasons. This means the original key we compromised could remain preserved by Microsoft’s design—creating a persistent backdoor that could last for years.”

Even more troubling, the attack completely bypasses standard Credential Guard protections. These protections usually secure NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials so that only privileged system software can access them.

Conclusion

Following responsible disclosure on May 27, 2025, Microsoft responded, “If you have the secrets used to derive the key, you can authenticate as that user. These features have never been intended to protect against a compromise of a domain controller.” To demonstrate the attack, Semperis also released an Open-source Proof-of-concept (PoC).

Malyanker concluded, “What starts as one DC compromise escalates to owning every dMSA-protected service across an entire enterprise forest. It’s not just privilege escalation—it’s enterprise-wide digital domination through a single cryptographic vulnerability.”

 

Source: TheHackerNews

Read more at Impreza News

You might also like
News, Windows
News, Windows

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.