[German]Delegated Managed Service Accounts (dMSA) were newly introduced in Windows Server 2025. Their design enables serious attacks on Managed Service Accounts and Active Directory resources. Semperis-Research has now developed Golden dMSA, a tool that contains the logic of the attack and helps to better understand the attack mechanisms and initiate defensive measures.
Advertising
What are dMSAs?
Microsoft has introduced delegated managed service accounts (dMSAs) in Windows Server 2025. A dMSA is a new type of service account in Active Directory (AD) that extends the capabilities of gMSAs (Group Managed Service Accounts). A dMSA is usually created to replace an existing service account.
A dMSA makes it possible to migrate existing unmanaged service accounts by seamlessly converting them into dMSAs. To enable a seamless transition, a dMSA can "inherit" the authorizations of the old account during the migration process. The migration closely links the dMSA to the replaced account.
Review of BadSuccessor (dMSA privilege elevation)
By analyzing the migration process in Windows Server 2025, Akamai security researcher Yuval Gordon had discovered a vulnerability in the Delegated Managed Service Account (dMSA) feature that allows attackers to compromise any user in Active Directory (AD). I had addressed this in blog posts in May 2025 (see article links at the end of this blog post).
Golden dMSA attack on Active Directory
Semperi's security researcher Adi Malyanker has taken a closer look at the "Delegated Managed Service Account" (dMSA) function under Windows Server 2025 and has also discovered a critical design flaw. As the design flaw greatly simplifies password generation using brute force, exploitation is not very complex, but requires certain prerequisites (compromising a forest).
Advertising
The issue was reported to the Microsoft Security Response Center (MSRC) on May 27, 2025. On July 8, 2025, Microsoft responded that "if attackers have the secrets used to derive the required key, they can authenticate as that user. These features were never intended to protect against compromise of a domain controller."
The danger, however, is that attackers use Golden dMSA to spread unnoticed in the Active Directory and settle in persistently. The details of the discovery and the attack process are disclosed in the Semperis article Golden dMSA: What Is dMSA Authentication Bypass? Below I extract some information for administrators.
Golden dMSA attack
The attack, called Golden dMSA, allows thread actors to bypass authentication and generate passwords for all dMSAs and gMSAs and their associated service accounts.
The attack exploits a cryptographic vulnerability in the design: A structure used to compute the passwords contains predictable, time-based components with only 1,024 possible combinations. This makes brute-force password generation computationally trivial.
Great effect, but moderate risk
According to the Semperis security researcher, this attack can be used for both persistence and privilege escalation in any AD environment with dMSA accounts. A successful attack can have a major impact as it enables cross-domain lateral movement and persistent access to all managed service accounts and their resources indefinitely.
However, the security researcher classifies the risk of exploitation as only "moderate", as the successful execution of the attack depends on a partial compromise of the forest. The background to this is that attackers must have a KDS root key. But this KDS root key is only available to the most privileged accounts (Root Domain Admins, Enterprise Admins and SYSTEM).
GoldenDMSA tool for detection
The problem for security managers is that detecting activity via golden dMSA attacks requires manual log configuration and review, which makes countermeasures difficult. This is because, by default, no security events are logged when a KDS root key is compromised.
To understand how this attack technique works in practice, Semperi's researcher Adi Malyanker has developed GoldenDMSA, a tool that contains the logic of the attack and allows administrators to efficiently investigate, evaluate and simulate how the technique can be exploited in real-world environments. The tools are available on GitHub and are linked in this Semperis blog post.
"Golden dMSA exposes a critical design flaw that allows attackers to generate passwords for service accounts and remain undetected in Active Directory environments," explains Adi Malyanker. "I have developed a tool that helps defenders and researchers to better understand the attack mechanisms. Companies should proactively assess their systems to stay one step ahead of this new threat."
Similar articles:
BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
BadSuccessor: Read up on the dMSA AD privilege increase issue
Advertising
