Cybersecurity researchers have unveiled a newly discovered post-exploitation technique targeting Microsoft Windows systems. Dubbed Golden DMSA (Golden Distributed Monitoring Service Account), this stealthy attack vector exploits Microsoft’s own Windows Management Infrastructure (WMI) architecture to maintain persistent, undetectable access on compromised machines — posing serious threats to enterprise networks.
The Golden DMSA attack enables adversaries to plant persistent payloads using legitimate WMI subscription mechanisms. The attackers leverage Distributed Monitoring Service Accounts — typically used by Microsoft System Center Operations Manager (SCOM) — to execute malicious activities under the guise of a trusted and authorized user account.
This is not just a new method — it’s a highly evasive technique. Threat actors can execute malicious scripts or commands without creating new services, registry modifications, or scheduled tasks, which are typically picked up by EDR (Endpoint Detection and Response) tools or SIEM solutions. The technique effectively bypasses detection by hiding within native system processes.
Microsoft’s System Center Operations Manager (SCOM) is used by enterprises to monitor IT infrastructure. It deploys agents across machines and leverages Delegated Managed Service Accounts (DMSA) to perform tasks and retrieve telemetry data.
Delegated Managed Service Accounts (DMSA) is a new feature introduced by Microsoft in Windows Server 2025, designed to replace legacy service accounts and help counter advanced threats like Kerberoasting attacks.
Unlike traditional service accounts, DMSAs bind authentication directly to authorized machine identities in Active Directory (AD). This prevents unauthorized usage and significantly reduces the chances of credential theft or lateral movement. By tying access control to device identity, only explicitly permitted machines can use the account, creating a robust layer of trust.
However, in the Golden DMSA attack, this very trust is abused. Threat actors hijack or spoof DMSA accounts to configure malicious WMI event subscriptions, thus creating a stealth persistence backdoor that looks like legitimate monitoring behavior.
Here’s what makes the Golden DMSA attack uniquely threatening:
No File Drops or Registry Modifications: Unlike traditional persistence mechanisms, this technique doesn’t rely on modifying the registry or dropping files, making it harder for EDR systems to detect.
Blends With Legitimate Traffic: Since DMSA accounts are used legitimately by SCOM, malicious behavior can be easily misattributed as normal system monitoring activity.
Bypasses Most Detection Tools: EDRs typically focus on well-known persistence techniques (scheduled tasks, registry run keys, services), but this method leverages WMI — an area often under-monitored.
Long-Term Persistence: Once set, the attacker’s payload can remain functional and dormant for long periods, surviving reboots and user logouts.
Discovery: The attacker identifies an organization running SCOM and using DMSA accounts.
Hijack or Spoof: They hijack a DMSA account or create a fake one with similar permissions.
WMI Subscription: The attacker sets up a WMI Event Consumer — a legitimate Windows mechanism — to execute payloads when specific triggers (like system reboot or user login) occur.
Execution: Malicious commands or scripts are executed invisibly, often leveraging PowerShell or VBScript.
Persistence: Since it’s tied to system events and hidden under the DMSA account, the attack remains under the radar.
Security tools that focus on signature-based detection are largely ineffective here. Most EDR solutions are not tuned to detect WMI-based persistence, especially when executed under legitimate accounts.
Moreover, since the DMSA account is seen as “trusted,” its actions often bypass heuristic anomaly-based monitoring too.
Security experts recommend the following steps to detect and defend against Golden DMSA-style attacks:
Audit WMI Subscriptions Regularly: Use PowerShell or WMI Explorer tools to list existing Event Filters, Consumers, and Bindings.
Monitor SCOM Account Usage: Track unusual activity or deviations in behavior by DMSA accounts using UEBA (User and Entity Behavior Analytics).
Isolate Monitoring Accounts: Limit DMSA privileges strictly to necessary operations and avoid giving them interactive login permissions.
Use Sysmon: Enable and configure Microsoft Sysmon to monitor WMI activity and log suspicious behavior.
Deploy Advanced Threat Detection Tools: Utilize XDR (Extended Detection and Response) platforms capable of correlating WMI activity across the enterprise.
Use Application Whitelisting: Tools like AppLocker or WDAC can prevent unauthorized script execution through WMI.
The Golden DMSA attack draws parallels to older WMI-based persistence techniques such as:
WMI Event Subscription Backdoors: First documented in 2015, these involved setting up malicious WMI consumers tied to system events.
APT Techniques: Advanced Persistent Threat groups like APT29 (Cozy Bear) have used WMI persistence in nation-state campaigns.
However, the use of legitimate enterprise monitoring tools like SCOM makes Golden DMSA more deceptive and harder to trace.
This discovery highlights a major blind spot in many organizations’ security frameworks. Monitoring and security teams often exclude trusted accounts and tools from their threat models, giving adversaries the perfect hiding place.
The Golden DMSA attack is a powerful example of how attackers continuously innovate to exploit trusted components in enterprise environments. As reliance on monitoring solutions like SCOM grows, so does the attack surface.
The Golden DMSA technique is a sobering reminder that attackers no longer need malware to compromise systems — they just need access and creativity. Security isn’t just about watching the doors and windows anymore; it’s also about knowing what’s happening inside the house, especially in the corners we think are safe.
Organizations must broaden their detection lenses, pay closer attention to WMI activity, and start treating every system process — even legitimate ones — with a degree of healthy suspicion.
MITRE ATT&CK: Persistence via WMI Event Subscription
Microsoft Docs: Windows Management Instrumentation
Research Papers on WMI-based Attacks by FireEye & SpecterOps
Copyright © 2025 Clear Infosec. All Rights Reserved.