Exploiting dMSA for Advanced Active Directory Persistence

Security researchers have identified new methods for achieving persistence in Active Directory environments by exploiting Delegated Managed Service Accounts (dMSAs), a new security feature introduced in Windows Server 2025.

Despite being designed to enhance security through automated credential management, dMSAs can be manipulated by attackers with specific permissions to establish persistent access.

This discovery highlights how advanced attackers continue to find ways to compromise even newly designed security features in enterprise environments.

Delegated Managed Service Accounts represent Microsoft’s latest iteration in service account security, building upon previous solutions like traditional service accounts, Managed Service Accounts (MSAs), and Group Managed Service Accounts (gMSAs).

Unlike their predecessors, dMSAs bind authentication to specific machine identities and derive authentication secrets from machine account credentials that are encrypted by the Domain Controller.

This design eliminates locally stored credentials, automating password management and preventing common attack vectors like Kerberoasting.

When deploying dMSAs, they replace existing service accounts while maintaining access to previously authorized resources.

A significant security enhancement is their integration with Credential Guard, which protects stored keys from theft and ensures only authorized devices properly mapped in Active Directory can utilize the dMSA, substantially reducing the attack surface for credential-based attacks.

Container Permission Abuse

Despite these security improvements, researchers have uncovered that attackers with “Generic All” permissions on the “Managed Service Accounts” container can abuse these privileges to establish persistence.

The attack begins by verifying permissions using commands like dsacls "CN=Managed Service Accounts,DC=kingdom,DC=local" or through Active Directory Users and Computers.

The critical exploitation technique involves manipulating Access Control List (ACL) inheritance. By executing dsacls "CN=Managed Service Accounts,DC=kingdom,DC=local" /G "KINGDOMpoc:GA" /T /I:S, attackers force permission inheritance down to child objects.

This grants the attacker full visibility and control over all dMSA objects within the container, including the ability to take ownership of objects typically restricted to Domain Admins.

Persistence is achieved by creating additional dMSAs under the attacker’s control or by adding unauthorized entities to the PrincipalAllowedToRetrieveManagedPassword attribute, effectively maintaining backdoor access to the environment even if the initial compromise is discovered.

Detection and Defense Strategies

Organizations implementing Windows Server 2025 must apply specific mitigations to protect against dMSA abuse.

For Windows 11 24H2 and Windows Server 2025 clients, administrators should activate the Group Policy setting under Computer ConfigurationAdministrative TemplatesSystemKerberosEnable Delegated Managed Service Account logons.

According to the Report, Security teams should establish monitoring for events relating to access to dMSA objects with write permissions, as these can indicate potential abuse.

Additionally, organizations should implement strict permission controls on the Managed Service Accounts container, regularly audit permission changes, and follow least-privilege principles for all administrative accounts.

Microsoft continues to enhance service account security with each iteration, but this discovery demonstrates that even advanced security features can be subverted when attackers gain specific elevated permissions in Active Directory environments.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!