Cybersecurity researchers have revealed what they say is a “significant design flaw” in the Delegated Managed Service Account (DMSA) introduced in Windows Server 2025.
“This flaw can cause impactful attacks, allowing cross-domain lateral movement, allowing permanent access to all managed service accounts and their resources indefinitely across Active Directory,” Semperis said in a report she shares with Hacker News.
Put another way, successful exploits allow the enemy to avoid authentication guardrails and generate passwords for all delegated managed service accounts (DMSAS) and group managed service accounts (GMSA) and associated service accounts.
The way tenacity and privilege escalation is known as Golden DMSA, and cybersecurity companies see it as low complexity due to the fact that vulnerabilities simplify brute force password generation.
However, for a bad actor to exploit it, he normally needs to already have a Key Distribution Service (KDS) root key that is available to privileged accounts such as root domain administrators, enterprise administrators, and systems.
The KDS root key, known as the Crown Jewel in Microsoft’s GMSA Infrastructure, acts as the master key, allowing an attacker to derive the current password for a DMSA or GMSA account without having to connect to a domain controller.
“The attacks take advantage of important design flaws. The structure used for password generation calculations includes predictable time-based components and only 1,024 combinations, so brute-force password generation is computationally trivial.
Delegated managed service accounts are a new feature introduced by Microsoft that facilitates migration from existing legacy service accounts. It was introduced in Windows Server 2025 as a way to counter Kerberoasting attacks.
The machine binds the authentication directly to be directly bound to an explicitly certified machine in Active Directory (AD) to eliminate the possibility of credential theft. By linking authentication to the device’s ID, only the identity of the specified machine mapped to AD can access the account.
Similar to Golden GMSA Active Directory attacks, Golden DMSA plays over four steps once an attacker acquires high privileges in the domain –
By increasing system privileges on one of the domain controllers enumerating DMSA accounts using the LSAOPENPOLICHY and LSALOOKUPSIDS APIs, you can extract KDS root key material or identify passwords via managed password attributes via managed word attributes (LDAP)-based approaches, which can be associated with compromised keys via managed password attributes (LDAP)-based approaches, pass hash and test or cover the hash technique
“This process is a particularly dangerous way of persistence as it does not require additional privileged access once the KDS root key is obtained,” Malyanker said.
“The attacks highlight the critical trust boundaries of managed service accounts. They rely on domain-level encryption keys for security. Automatic password rotation provides excellent protection for typical entitlement attacks, domain administrators, DNSADMINs, and print operators, but can bypass these protections completely and complicate all DMS and GMSAs in the forest.
Semperis pointed out that by compromising the KDS root key from a single domain within a forest, it would transform the violation into a permanent backdoor of the entire forest, given that it is sufficient to infringe all DMSA accounts across all domains of that forest.
In other words, a single KDS root key extraction can be weaponized to achieve domain-wide cross-domain account compromise, forest-wide qualification harvesting, and lateral movement using compromised DMSA accounts.
“Even in environments with multiple KDS root keys, the system consistently uses the first (oldest) KDS root key for compatibility reasons,” Malyanker noted. “This means that the original keys we compromised could be saved by Microsoft’s design.
What’s even more concerning is that the attack completely avoids the normal credential guard protection used to protect the hash of NTLM passwords.
Following the responsible disclosure on May 27, 2025, Microsoft said, “If there is a secret to derive a key, you can authenticate as a user. These features were never intended to protect against the compromise of a domain controller.” Semperis also released open source as a proof of concept (POC) to demonstrate the attack.
“What begins a single DC compromise will escalate to owning all DMSA protected services across Enterprise Forest,” Malyanker said. “It’s not just a privilege escalation, it’s digital domination across the enterprise through a single cryptographic vulnerability.”
Source link
