Golden dMSA: Critical Windows Server 2025 Flaw Enables Cross-Domain Persistence & Enterprise-Wide Exploits
A newly uncovered vulnerability in Windows Server 2025 is raising alarm across the cybersecurity community. Dubbed Golden dMSA, the flaw allows attackers to generate valid passwords for all Delegated Managed Service Accounts (dMSAs) and Group Managed Service Accounts (gMSAs)—opening the door to persistent, cross-domain access across an entire Active Directory (AD) forest.
"The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely," said Semperis, which discovered the flaw.
What Makes Golden dMSA So Dangerous?
Golden dMSA exploits a design flaw in the password generation mechanism of dMSAs/gMSAs introduced in Windows Server 2025—a feature intended to counter Kerberoasting and improve machine-bound authentication.
The vulnerability hinges on the Key Distribution Service (KDS) root key, the cryptographic master key in AD’s managed account system. Once an attacker compromises this key (typically accessible only to high-privileged roles like Domain Admins or SYSTEM), they can:
-
Bypass standard authentication protections
-
Derive passwords for any dMSA or gMSA without domain controller interaction
-
Maintain access persistently—even after password rotation
According to Semperis, the attack is of low complexity due to a predictable structure in password generation containing only 1,024 brute-forceable time-based combinations.
Attack Breakdown: From DC Compromise to Forest Takeover
Once a domain controller is compromised and SYSTEM-level access is achieved, the Golden dMSA attack follows these steps:
-
Extract the KDS root key from the domain controller.
-
Enumerate dMSA accounts using standard APIs (e.g.,
LsaOpenPolicy,LDAP). -
Identify the ManagedPasswordID attribute, enabling targeted hash generation.
-
Forge Kerberos tickets or execute Pass-the-Hash/Overpass-the-Hash attacks to access any service tied to dMSAs or gMSAs.
“Once the KDS root key is compromised, no further privileged access is needed—making this an exceptionally stealthy persistence technique,” said researcher Adi Malyanker.
Cross-Domain Impact & Credential Guard Bypass
The threat extends beyond a single domain. Since the KDS root key is forest-scoped, compromising it in just one domain can be leveraged to:
-
Harvest credentials across the forest
-
Move laterally between domains
-
Exploit services bound to any dMSA/gMSA
Worse, even environments with multiple KDS root keys remain vulnerable: Windows always defaults to using the oldest key for compatibility, potentially preserving access for years.
“This creates a forest-wide digital backdoor that survives rotations and defeats even Credential Guard protections,” Semperis warned.
Microsoft's Response & PoC Disclosure
After Semperis disclosed the flaw to Microsoft on May 27, 2025, the company responded:
"If you have the secrets used to derive the key, you can authenticate as that user. These features were never intended to protect against the compromise of a domain controller."
Semperis has also released an open-source proof-of-concept to demonstrate the exploit, urging enterprises to evaluate risk exposure and adopt strong domain controller security hardening.
No comments:
Post a Comment