Why GMSAs Present Such A Threat, Expert Insight

By   ISBuzz Team
Writer , Information Security Buzz | Mar 07, 2022 09:01 am PST

An attacker with high privileges can obtain all the ingredients for generating the password of any gMSA in the domain at any time with two steps:

  1. Retrieve several attributes from the KDS root key in the domain
  2. Use the GoldenGMSA tool to generate the password of any gMSA associated with the key, without a privileged account. 

Introducing the Golden GMSA Attack | Semperis

Or Yair, Security Researcher at SafeBreach Labs (Breach and Attack Simulation Platforms | New Solutions (safebreach.com)) explains why GMSAs present such a threat.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Or Yair
Or Yair , Security Researcher
March 7, 2022 5:01 pm

The new attack does not allow attackers to escalate from unprivileged users but surely attackers can hide better now. Group Managed Service Accounts are given more privileges than they really should in many organizations. APTs which have high interest in staying under the radar can take actions as a gMSA instead of a regular high privileged user. That means they can keep a fine grip over the domain, leaving a much smaller footprint and reducing the chance of being detected.

Last edited 1 year ago by Or Yair

Recent Posts

Would love your thoughts, please comment.x