BadSuccesor Attack: Mitigating Active Directory Privilege Escalation via dMSA Abuse

By /

Listen to this Post

Featured Image
The BadSuccesor attack, discovered by Yuval Gordon, exploits Delegated Managed Service Accounts (dMSAs) in Active Directory (AD) environments. Attackers abuse Organizational Unit (OU) permissions delegated to non-Tier Zero accounts to create or modify dMSAs, leading to forest takeover.

Key Risks:

  • Non-Tier Zero accounts with OU delegation can create malicious dMSAs.
  • Attackers manipulate `msDS-AccountPrecededByLink` to escalate privileges.
  • Implicit Owner Rights on dMSA objects can be abused.

Mitigation Steps:

1. Restrict dMSA Creation:

  • Remove unnecessary OU delegation from non-Tier Zero accounts.
  • Apply targeted ACEs (Access Control Entries) to deny:
  • dMSA creation
  • Owner Rights abuse
  • Modification of `msDS-AccountPrecededByLink`

2. Audit OU Permissions:

Use Cypher queries to detect non-Tier Zero accounts with excessive OU permissions.

3. Implement Least Privilege:

  • Restrict Delegated Admin Rights to only necessary accounts.
  • Monitor AD object modifications using Windows Event Logs.

You Should Know: Hardening AD Against BadSuccesor

1. PowerShell: Apply Targeted ACEs

 Deny dMSA creation on OUs 
Import-Module ActiveDirectory 
$OU = "OU=Servers,DC=domain,DC=com" 
$DenyPrincipal = "NonTier0Group" 
$DenyACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ( 
$DenyPrincipal, 
"CreateChild", 
"Deny", 
[bash]"bf967aa8-0de6-11d0-a285-00aa003049e2",  dMSA schema GUID 
"All" 
) 
$ACL = Get-Acl "AD:\$OU" 
$ACL.AddAccessRule($DenyACE) 
Set-Acl -Path "AD:\$OU" -AclObject $ACL

2. Detect Risky OU Delegations

 Find OUs where non-Tier Zero accounts have write permissions 
Get-ADOrganizationalUnit -Filter  | ForEach-Object { 
$OU = $<em>.DistinguishedName 
(Get-Acl "AD:\$OU").Access | Where-Object { 
($</em>.IdentityReference -notlike "Tier0") -and 
($_.ActiveDirectoryRights -match "WriteProperty|GenericAll|CreateChild") 
} | Select-Object IdentityReference, ActiveDirectoryRights 
}

3. Linux (AD Audit via ldapsearch)

 Query AD for delegated permissions 
ldapsearch -x -H ldap://domain-controller -D "[email protected]" -W -b "DC=domain,DC=com" "(objectClass=organizationalUnit)" dn nTSecurityDescriptor

4. Windows Event Log Monitoring

 Monitor AD object changes 
Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=5136]]" | 
Where-Object { $_.Message -match "msDS-AccountPrecededByLink" }

What Undercode Say

The BadSuccesor attack highlights critical AD misconfigurations that attackers exploit for privilege escalation. While Microsoft must address the root cause, defenders can mitigate risk by:
– Enforcing least privilege on OU delegations.
– Blocking dMSA abuse via custom ACEs.
– Continuous monitoring of AD permission changes.

Expected Output:

  • Secure AD environment with reduced attack surface.
  • Detection of suspicious dMSA modifications.
  • Compliance with Tier Zero security best practices.

Prediction

Future AD attacks will increasingly target delegated permissions and misconfigured service accounts. Organizations must automate AD hardening and adopt Zero Trust principles to prevent similar exploits.

References:

IT/Security Reporter URL:

Reported By: Jimsykora Badsuccessor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: