An attacker with high privileges can obtain all the ingredients for generating the password of any gMSA in the domain at any time with two steps:
- Retrieve several attributes from the KDS root key in the domain
- Use the GoldenGMSA tool to generate the password of any gMSA associated with the key, without a privileged account.
Introducing the Golden GMSA Attack | Semperis
Or Yair, Security Researcher at SafeBreach Labs (Breach and Attack Simulation Platforms | New Solutions (safebreach.com)) explains why GMSAs present such a threat.
Experts Comments
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.
Be part of our growing Information Security Expert Community (1000+), please register here.
The new attack does not allow attackers to escalate from unprivileged users but surely attackers can hide better now. Group Managed Service Accounts are given more privileges than they really should in many organizations. APTs which have high interest in staying under the radar can take actions as a gMSA instead of a regular high privileged user. That means they can keep a fine grip over the domain, leaving a much smaller footprint and reducing the chance of being detected.
Linkedin Message
@Or Yair, Security Researcher, provides expert commentary at @Information Security Buzz.
"..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/why-gmsas-present-such-a-threat-expert-insight
Facebook Message
@Or Yair, Security Researcher, provides expert commentary at @Information Security Buzz.
"..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/why-gmsas-present-such-a-threat-expert-insight