BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

Listen to this Post

Featured Image
URL: https://lnkd.in/eec_pC9m
Detections: https://lnkd.in/eJ3wv9R3

You Should Know:

This research highlights a privilege escalation technique in Active Directory by abusing dMSA (Group Managed Service Accounts) and manipulating the `msDS-ManagedAccountPrecededByLink` attribute. Attackers can exploit this to gain elevated access stealthily.

Key Commands & Detection Steps

1. Check dMSA Accounts in AD:

Get-ADServiceAccount -Filter  -Properties msDS-ManagedAccountPrecededByLink 

2. Modify `msDS-ManagedAccountPrecededByLink` (Attack Simulation):

Set-ADServiceAccount -Identity "TargetMSA" -Replace @{"msDS-ManagedAccountPrecededByLink"="CN=Admin,DC=domain,DC=com"} 

3. Elastic Detection Rule (Sigma):

title: Suspicious dMSA Account Modification 
description: Detects first-time modification of msDS-ManagedAccountPrecededByLink 
logsource: 
product: windows 
service: security 
detection: 
selection: 
EventID: 5136 
AttributeLDAPDisplayName: msDS-ManagedAccountPrecededByLink 
condition: selection 

4. Monitor New dMSA Creation (PowerShell):

Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=4727]]" 

5. Linux-Based AD Audit (via `ldapsearch`):

ldapsearch -x -H ldap://domain-controller -D "[email protected]" -W -b "dc=domain,dc=com" "(objectClass=msDS-GroupManagedServiceAccount)" 

6. Windows Event Log Analysis (CMD):

wevtutil qe Security /q:"[System[(EventID=5136)]]" /f:text 

Mitigation Steps

  • Restrict `WriteProperty` permissions on dMSA objects.
  • Enable LDAP change auditing in Group Policy.
  • Monitor first-time SubjectUserName in dMSA modifications.

What Undercode Say

This attack vector demonstrates how attackers exploit AD misconfigurations for privilege escalation. Defenders must audit dMSA permissions and implement real-time detections. Elastic’s new rule helps, but manual log reviews remain critical.

Prediction

This technique will likely be weaponized in ransomware attacks targeting AD environments within 6 months.

Expected Output:

  • Detection alerts on suspicious dMSA modifications.
  • Logs showing unauthorized `msDS-ManagedAccountPrecededByLink` changes.
  • PowerShell/Windows events indicating new dMSA account creation.

References:

Reported By: Samir B – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram