Delegated Managed Service Accounts (dMSAs), introduced in Windows Server 2025, represent Microsoft\u2019s latest innovation in secure service account management.\u00a0<\/p>\n
While designed to enhance security by preventing traditional credential theft attacks like Kerberoasting, security researchers have uncovered potential abuse vectors that could allow attackers to establish persistent access in Active Directory<\/a> environments.\u00a0<\/p>\n dMSAs were created to solve long-standing problems with traditional service accounts. Unlike standard accounts that require manual password management, dMSAs provide automatic credential management and link authentication directly to machine identities.<\/p>\n According to Microsoft documentation, \u201cdMSA is a more secure and manageable approach to service account management compared to traditional service accounts\u201d.<\/p>\n The technology allows administrators to migrate from conventional service accounts<\/a> while disabling the original account\u2019s password authentication, redirecting all requests through the Local Security Authority (LSA) using the new dMSA mechanism.\u00a0<\/p>\n This feature was specifically designed to eliminate credential theft risks.<\/p>\n According to Matan Bahar, despite enhanced security controls, dMSAs can potentially be abused by attackers who have temporarily gained elevated privileges. The attack targets the Access Control Lists (ACLs) of the dMSA objects themselves.<\/p>\n The key vulnerability lies in the \u201cManaged Service Accounts\u201d container and its permission inheritance structure.\u00a0<\/p>\n An attacker with domain administrator access, even temporarily, can modify ACLs to maintain access to dMSA accounts after their privileged access is revoked.<\/p>\n The attack begins by gaining \u201cGenericAll\u201d permissions on the Managed Service Accounts container:<\/p>\n While having \u201cGenericAll\u201d permissions on the container doesn\u2019t automatically grant access to child objects, attackers can force inheritance down to all dMSA objects:<\/p>\n These commands establish persistent control over all existing and future dMSA objects. The attacker can then:<\/p>\n Organizations deploying Windows Server 2025<\/a> should implement these protections:<\/p>\n While dMSAs significantly improve service account security over traditional accounts, organizations must remain vigilant about potential abuse vectors.\u00a0<\/p>\n According to the Report<\/a>, the security improvements offered by dMSAs still outweigh the risks, particularly when proper monitoring and access controls are implemented.<\/p>\n As Microsoft continues to develop Windows Server 2025, additional security controls around dMSA management will likely emerge to address these newly discovered persistence techniques.<\/p>\n Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Abusing dMSA with Advanced Active Directory Persistence Techniques\u00a0<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Persistence Vector<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcUPTl8UGnUGiR9ZqU_-TVINGANJ--09qBGXkZ6Bqzh7NdT0KJGMe9bEa3U0ZZJESSbtv6S8Z6kEq-8oAgQevMaekPsXHP5_3ey_GkYvv56A3KSQcKqQEDQGQgFo_NDKKg6ljMaNg?key=pt90noQEvP8R8ZbT2mLR7Q\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeQC7g1KXDZhJAp-tx5SHuVqtigtT1oqXU9TqEULskZrOwgVtC-cF9-6MEmLp9dnm8_r1GXCPpehDsW12VWCxbQMhqgTuZztqnQ__gXMqNwB-iFQyY6gBc-pf5QU0X8_-HLw-dpTw?key=pt90noQEvP8R8ZbT2mLR7Q\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdHZGPfJbFoQIB_ubD6fsTdnYm5q0naNQwGShYeRGW1cJCXWfVMfxP8DA86YWoHCgYPQ1CQynteLKz-PJX_VnIC_mynHbEfEeUWCu-_lQsKZ7X1uWRNqR5x8bOR6889a5m9NyWDUw?key=pt90noQEvP8R8ZbT2mLR7Q\")
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdxhYp6UFIZyV6DbIUl6mKDl5d8-rMKSdjrYmAjEIvndZ2APC_30uNqkPntktK5xV8zR5WajW6XFvwzg4Ksois5BtqgJqTTdKv1FTPN6VLodZxvfu22Y_ax1GKYv_Oix29zzTLbnA?key=pt90noQEvP8R8ZbT2mLR7Q\")
Mitigation<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdW-LJbZouUdCo9xZcFKyuwMuZnf2nrW4OMkzoc48qNtZnTywss_iqPvjdpw0Mvq9kGriydYL-tpKGxGpnPxSHpOAFcfmf21qEos-H0OPT9CW5JbXs8x6AYCfrwI8ldp-7fVJ0Iqg?key=pt90noQEvP8R8ZbT2mLR7Q\")
\n