BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

Listen to this Post

Featured Image
Full domain takeover by creating a dMSA child account is a critical Active Directory privilege escalation vulnerability. Attackers can exploit Delegated Managed Service Accounts (dMSA) to gain unauthorized control over an entire domain.

Read the full article here: Akamai – BadSuccessor: Abusing dMSA

You Should Know:

1. Understanding dMSA & Attack Path

Delegated Managed Service Accounts (dMSA) allow child domains to manage service accounts. Attackers abuse this by:
– Creating a malicious dMSA child account.
– Leveraging it for domain escalation.

2. Exploitation Steps (Verified Commands)

 Check if dMSA is enabled in the domain 
Get-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com"

Create a malicious dMSA account 
New-ADServiceAccount -Name "MaliciousSvc" -Enabled $true -DNSHostName "evil.domain.com"

Grant excessive privileges 
Add-ADGroupMember -Identity "Domain Admins" -Members "MaliciousSvc" 

3. Detection & Mitigation

Detect Suspicious dMSA Activity:

 Monitor dMSA creation events 
Get-WinEvent -LogName "Security" -FilterXPath "[EventData[Data[@Name='TargetAccountName']='MaliciousSvc']]" 

Mitigation Steps:

  • Restrict dMSA creation rights to trusted admins.
  • Enable privileged access auditing.

4. Linux-Based Detection (If AD Integrated)

 Query AD logs for dMSA abuse (using ldapsearch) 
ldapsearch -x -H ldap://domaincontroller -D "[email protected]" -W -b "DC=domain,DC=com" "(objectClass=msDS-GroupManagedServiceAccount)" 

What Undercode Say:

This attack demonstrates how misconfigured delegation in Active Directory can lead to full domain compromise. Organizations must:
– Audit dMSA permissions regularly.
– Implement least privilege for service accounts.
– Monitor child domain trust abuses.

Expected Output:

[/bash]
Security Event ID 4720 – A user account was created

Account Name: MaliciousSvc

Creator: AttackerUser

Privileges Assigned: Domain Admin


Prediction: 
Future AD attacks will increasingly exploit delegation misconfigurations, requiring stricter controls over child domain trusts and service account permissions.

Relevant Commands Recap: 
[bash]
 Disable unnecessary dMSA delegation 
Set-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com" -Replace @{"msDS-AllowedToDelegateTo"=$null}

Verify mitigations 
Get-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com" -Properties msDS-AllowedToDelegateTo 

Expected Output:

[/bash]

No unauthorized dMSA accounts detected.

Delegation permissions restricted.

[bash]

References:

Reported By: Brianalmond Badsuccessor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram