Why GMSAs Present Such A Threat, Expert Insight

An attacker with high privileges can obtain all the ingredients for generating the password of any gMSA in the domain at any time with two steps:

  1. Retrieve several attributes from the KDS root key in the domain
  2. Use the GoldenGMSA tool to generate the password of any gMSA associated with the key, without a privileged account. 

Introducing the Golden GMSA Attack | Semperis

Or Yair, Security Researcher at SafeBreach Labs (Breach and Attack Simulation Platforms | New Solutions (safebreach.com)) explains why GMSAs present such a threat.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Or Yair
Or Yair , Security Researcher
InfoSec Expert
March 7, 2022 5:01 pm

The new attack does not allow attackers to escalate from unprivileged users but surely attackers can hide better now. Group Managed Service Accounts are given more privileges than they really should in many organizations. APTs which have high interest in staying under the radar can take actions as a gMSA instead of a regular high privileged user. That means they can keep a fine grip over the domain, leaving a much smaller footprint and reducing the chance of being detected.

Last edited 8 months ago by Or Yair
Information Security Buzz
Would love your thoughts, please comment.x