dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025

This research describes "dMSA Ouroboros," a technique that abuses delegated CreateChild and WriteProperty to create a delegated Managed Service Account (dMSA) which plants a Shadow Credential and self-enrolls its own SID into msDS-GroupMSAMembership, allowing the dMSA to authenticate via PKINIT and repeatedly extract the superseded account's NT hash (KERB-DMSA-KEY-PACKAGE). The chain is self-sustaining after initial setup, survives password rotation and attacker account deletion, can lock out Domain Admin remediation, and evades Credential Guard; the report includes PoC steps, detection rules (event IDs and BloodHound edges), and recommends deleting compromised dMSA objects as the only reliable remediation.