Why GMSAs Present Such A Threat, Expert Insight

An attacker with high privileges can obtain all the ingredients for generating the password of any gMSA in the domain at any time with two steps:

  1. Retrieve several attributes from the KDS root key in the domain
  2. Use the GoldenGMSA tool to generate the password of any gMSA associated with the key, without a privileged account. 

Introducing the Golden GMSA Attack | Semperis

Or Yair, Security Researcher at SafeBreach Labs (Breach and Attack Simulation Platforms | New Solutions (safebreach.com)) explains why GMSAs present such a threat.

Experts Comments

March 07, 2022
Or Yair
Security Researcher
SafeBreach Labs

The new attack does not allow attackers to escalate from unprivileged users but surely attackers can hide better now. Group Managed Service Accounts are given more privileges than they really should in many organizations. APTs which have high interest in staying under the radar can take actions as a gMSA instead of a regular high privileged user. That means they can keep a fine grip over the domain, leaving a much smaller footprint and reducing the chance of being detected.

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.