Golden dMSA exposes a new Active Directory persistence flaw

At a glance

What this is: Semperis research describes Golden dMSA as a Windows Server 2025 design flaw that can enable password generation, lateral movement, and persistent access in Active Directory.

Why it matters: It matters because identity teams have to treat managed service accounts as a privileged attack surface, with consequences for NHI governance, AD hardening, and hybrid identity response.

By the numbers:

• Semperis says over 100 million identities are protected by its technology across hybrid and multi-cloud environments.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Semperis' research on Golden dMSA and delegated Managed Service Accounts

Context

Golden dMSA is a machine identity problem in Active Directory, not just a Windows feature issue. The research points to delegated Managed Service Accounts as a place where identity design, cryptographic assumptions, and privilege boundaries intersect in ways many programmes do not inspect closely enough.

For IAM and NHI teams, the key issue is that managed service accounts are often treated as infrastructure plumbing rather than governed identities. Once those accounts can be predictably derived or abused, the control gap becomes a persistence problem, a lateral movement problem, and a lifecycle problem at the same time.

Key questions

Q: What breaks when delegated Managed Service Accounts can be derived offline?

A: The trust model breaks first. If attackers can derive account material from predictable identity inputs, the account is no longer a secret that only the platform holds. That means normal rotation, review, and monitoring can all be bypassed by a recovered credential path rather than an interactive compromise.

Q: Why do machine identities create larger lateral movement risk than teams expect?

A: Machine identities often have wider, longer-lived access than human users and are embedded in application dependencies. When those identities cross domains or service boundaries, a single compromise can pivot into multiple systems. That is why service-account governance belongs in the same conversation as access containment and directory design.

Q: How do security teams know when service account governance is failing?

A: A warning sign is any account with broad reach, unclear ownership, or access that outlives the application or team that created it. If revocation depends on manual discovery or periodic review alone, governance is already lagging the attack surface. The control signal is whether every account has a current owner and a clear revoke path.

Q: What should teams do first after discovering a privileged machine identity flaw?

A: Contain the trust boundary before you try to clean up the account state. That means isolating affected domains, revoking unnecessary delegation, and validating which dependent systems still require the identity. If persistence is possible, response has to assume the attacker may still hold access after the initial fix.

Technical breakdown

Predictable ManagedPasswordId values and offline password generation

Golden dMSA exploits the structure behind delegated Managed Service Accounts by targeting the ManagedPasswordId data used to derive account passwords. Semperis says the time-based components leave only 1,024 combinations, which makes brute-force derivation computationally trivial compared with normal credential recovery. The important architectural point is that the weakness sits in the password generation model, not in a misconfiguration layered on top. When a security control assumes password entropy but the identity primitive is partially enumerable, the attacker does not need to break the system in the usual sense. Practical implication: treat dMSA password derivation as a design-risk review, not a routine hardening task.

Practical implication: validate whether delegated Managed Service Accounts introduce derivation risk before trusting them for privileged automation.

Cross-domain lateral movement through managed service account trust

Because delegated Managed Service Accounts can span resources across Active Directory, compromise is not limited to one host or one workload. If an attacker can generate or reuse the account material, the identity becomes a pathway into adjacent domains and managed resources that were assumed to be separated by trust boundaries. That makes the problem structurally closer to identity pivoting than to endpoint compromise. In practice, the account is both the access token and the route to broader authorization. Practical implication: map every dMSA trust relationship and treat cross-domain reach as a containment boundary, not a convenience feature.

Practical implication: inventory cross-domain trust paths and remove unnecessary delegation before they become pivot routes.

Indefinite persistence in Active Directory

A compromised managed service account can remain useful long after the initial flaw is understood because the access is embedded in identity state, not in a one-time exploit artifact. Semperis highlights persistent access across managed service account resources, which means revocation and offboarding become central, not optional. This is the same basic identity lesson seen in many NHI incidents: if the account outlives the review cycle, it can outlive the response. Practical implication: tie managed service account review and revocation to ownership change, not just calendar rotation.

Practical implication: align account revocation with ownership and dependency changes so persistence cannot survive routine reviews.

Threat narrative

Attacker objective: The attacker wants durable, cross-domain control of privileged identity paths inside Active Directory.

1. Entry occurs when an attacker targets the predictable ManagedPasswordId structure behind delegated Managed Service Accounts and derives usable account material offline.
2. Escalation follows when the attacker uses that identity to move across domains and reach additional managed service account resources in Active Directory.
3. Impact is persistent access across multiple managed identities and their resources, with the attacker able to remain embedded in the directory environment indefinitely.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Golden dMSA is an identity design flaw, not a routine misconfiguration. The problem is that delegated Managed Service Accounts were built on assumptions about password structure and trust containment that do not hold once the identity primitive is enumerable. When the password basis can be derived from a small search space, the account ceases to be a protected secret and becomes a recoverable access object. For practitioners, the implication is that dMSA risk has to be assessed at the identity-design layer, not only at the server-hardening layer.

Managed service accounts are now a cross-domain blast-radius issue. Semperis' research shows that the flaw can lead to lateral movement across Active Directory domains and into all managed service account resources. That is a governance problem because the account boundaries no longer match the business boundaries they were meant to support. Identity teams should assume that any delegated account with broad reach is a potential pivot point, not a local convenience account.

Standing privilege in machine identities remains the easiest path to durable compromise. The article reinforces a pattern we see repeatedly in NHI incidents: once a machine identity can be reused indefinitely, the attacker does not need to win again. That persistence is what turns a single design flaw into a programme-level exposure, especially in hybrid identity estates where AD remains the trust anchor.

Identity review cycles do not compensate for recoverable credentials. If an attacker can derive the access material offline, traditional review and recertification processes arrive too late to matter. The field needs to treat cryptographic predictability as a governance failure mode in its own right, because the control premise breaks before the reviewer ever sees the account. For security leaders, this is a signal to tighten the relationship between identity design review and operational access governance.

Golden dMSA sharpens the case for machine identity lifecycle control. The named concept here is identity derivation debt: the gap between an account that appears governed and an identity that can still be regenerated or reused by an attacker. That debt accumulates when lifecycle ownership, trust scope, and revocation are not aligned. Practitioners should treat the debt as a measurable risk indicator in Active Directory governance.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That gap is why identity teams should revisit Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs alongside 52 NHI Breaches Analysis when hardening machine identity governance.

What this signals

Identity derivation debt is the right lens for this kind of flaw: an identity appears governed, but its secret material can still be reconstructed by an attacker. For programmes that still treat service accounts as background plumbing, the practical shift is to evaluate whether access can be recovered faster than it can be revoked.

Semperis' research is a reminder that Active Directory remains a high-value identity trust anchor, so dMSA governance cannot sit outside broader IAM and PAM processes. Teams should connect directory hardening, machine-account ownership, and incident response so that one compromised identity does not become a durable foothold.

With only 5.7% of organisations having full visibility into their service accounts, the management challenge is already structural. The next step is to pair that visibility with lifecycle control and directory segmentation before recoverable credentials become operationally normal.

For practitioners

• Review delegated Managed Service Accounts for derivation risk Identify whether any dMSA implementations rely on predictable password material or weak entropy assumptions. Prioritise accounts with elevated reach across domains and document where the identity model depends on generated secrets rather than managed rotation.
• Map cross-domain trust paths for every managed service account Build a directory-level inventory of where each managed service account can authenticate, what resources it can reach, and which trust relationships extend that access. Remove unnecessary delegation and treat broad reach as a containment defect.
• Tie machine-account revocation to ownership changes Offboarding and reassignment should revoke or reissue managed service account access when the system owner, vendor relationship, or application dependency changes. Do not rely on periodic reviews to catch identities that can remain valid indefinitely.
• Test persistence scenarios in Active Directory response plans Run tabletop exercises that assume a compromised machine identity can survive normal remediation and continue moving laterally. Verify that incident response can isolate account scope, break trust chains, and identify every downstream dependency before closure.

Key takeaways

• Golden dMSA shows that machine identities can become persistence mechanisms when their password material is predictable.
• The scale of the risk is amplified by cross-domain reach and the tendency for service accounts to carry excessive privilege.
• The control that matters most is identity governance that ties ownership, delegation scope, and revocation to the real lifecycle of the account.

Key terms

• Delegated Managed Service Account: A delegated managed service account is a machine identity in Windows that is designed to hold and use credentials on behalf of a service. In practice, it can simplify administration, but it also concentrates privilege and trust in an identity object that must be governed like any other high-value access path.
• Identity Derivation Debt: Identity derivation debt is the risk that builds when an account appears controlled but its credential material can still be reconstructed, reused, or predictably generated by an attacker. It is a governance failure as much as a technical one, because ownership, revocation, and trust boundaries no longer match the real exposure.
• Cross-domain Lateral Movement: Cross-domain lateral movement is the ability to pivot from one identity boundary into another using trusted access relationships. In Active Directory environments, it means a compromised account can move beyond its intended scope and reach additional resources, turning one access issue into a broader containment failure.
• Standing Privilege: Standing privilege is persistent access that remains available without needing fresh approval or just-in-time provisioning. For machine identities, standing privilege is especially risky because the account may keep access long after the original need has changed, allowing attackers to reuse it for sustained activity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: Golden dMSA research on delegated Managed Service Accounts in Windows Server 2025. Read the original.