← Back

Golden dMSA Attack in Windows Server 2025: Understanding the New Domain Security Threat

As Windows Server 2025 introduces enhancements to domain-managed service accounts (dMSAs), attackers have found new ways to exploit their privileges. One of the most concerning developments is the Golden dMSA Attack—a sophisticated technique that mimics aspects of the infamous Golden Ticket attack against Kerberos.

This article breaks down the Golden dMSA technique, how it works, and what defenders can do to detect and mitigate this threat in Windows Server 2025 environments.


What Are dMSAs?

Domain-managed Service Accounts (dMSAs) are enhanced versions of Group Managed Service Accounts (gMSAs) introduced in earlier Windows Server editions. They're designed for non-interactive services, eliminating the need to manually manage service account passwords.

Windows Server 2025 improves dMSA scalability and cross-domain capabilities—but also increases their attack surface.


What is the Golden dMSA Attack?

The Golden dMSA attack is a post-exploitation technique that allows attackers to impersonate dMSAs and generate forged Kerberos service tickets (TGS), potentially granting long-term access to sensitive resources.

Attack Chain Overview

  1. Initial Access: Attacker gains administrative rights on a domain-joined machine.
  2. Dump Service Account Credentials: Using tools like Mimikatz or custom LSASS dumpers.
  3. Kerberos Ticket Forgery: Using extracted credentials, attacker crafts a forged TGS or TGT that impersonates a dMSA.
  4. Lateral Movement or Privilege Escalation: Access critical services or move laterally by using forged dMSA tokens.
  5. Persistence: Leverage the renewable nature of Kerberos tickets to maintain stealthy access.

Why It Works

The root issue lies in Kerberos trust assumptions and how dMSA keys are stored and retrieved:

  • Kerberos doesn't distinguish well between interactive and non-interactive accounts if tickets are properly formed.
  • dMSAs can be granted broad service access, especially in automated environments.
  • Ticket creation for dMSAs is vulnerable to manipulation if attackers obtain the KRBTGT hash or service account key material.

Mitigation and Detection

Harden Service Account Usage

  • Limit dMSA privileges to only what is necessary (principle of least privilege).
  • Avoid assigning dMSAs to critical infrastructure services unless required.

Monitor for Abnormal Kerberos Activity

Look for:

  • TGS requests from unusual hosts
  • Service tickets with unusually long lifespans
  • dMSA tokens used interactively (which shouldn’t happen)

Use tools like:

  • Microsoft Defender for Identity
  • Sysmon + KQL queries in Sentinel
  • Kerberos auditing (Event ID 4769, 4770)

Implement Credential Guard & LSASS Protections

  • Enable Windows Defender Credential Guard to prevent memory credential dumping.
  • Use LSA protection (RunAsPPL) to harden LSASS.

Rotate KRBTGT Key

If compromise is suspected, rotate the KRBTGT password twice to invalidate forged tickets:

Reset-ADServiceAccountPassword -Identity "krbtgt"

Patch and Isolate Domain Controllers

Ensure all DCs are running the latest patches and limit administrative access. Isolate workloads using tiered admin models (Tier 0, 1, 2).


Detection Ideas (SIEM Query Example)

SecurityEvent
| where EventID == 4769
| where ServiceName has "dMSA"
| where AccountName !endswith "$" // Unexpected account behavior
| summarize count() by IpAddress, AccountName, TimeGenerated

Summary

The Golden dMSA Attack demonstrates how new features in Windows Server 2025, while powerful, can introduce novel attack paths if not properly secured. It’s a reminder that service account hygiene, Kerberos awareness, and post-exploitation detection remain critical in modern AD environments.

Stay vigilant, secure your domain accounts, and monitor for abuse—especially in new deployments like Windows Server 2025.


***
Note on Content Creation: This article was developed with the assistance of generative AI like Gemini or ChatGPT. While all public AI strives for accuracy and comprehensive coverage, all content is reviewed and edited by human experts at IsoSecu to ensure factual correctness, relevance, and adherence to our editorial standards.