Listen to this Post

A new critical vulnerability dubbed BadSuccessor has been discovered in Windows Server 2025’s Active Directory, allowing attackers to fully compromise a domain by abusing delegated Managed Service Accounts (dMSA). This attack enables threat actors to:
✅ Steal NTLM hashes & Kerberos keys (including krbtgt)
✅ Inherit and abuse any user’s permissions
✅ Bypass traditional detection (no DC code execution, no RPC calls)
Attack Path:
1. Attacker creates a malicious dMSA object.
- Exploits the “Successor” feature to inherit target user privileges.
3. Gains full domain persistence.
You Should Know:
Detection & Mitigation Steps
1. Check for Vulnerable Permissions (PowerShell)
Get-ADObject -Filter {msDS-AssignedAuthNPolicy -like ""} -Properties msDS-AssignedAuthNPolicy | Select-Object Name, DistinguishedName
2. Identify Suspicious dMSA Creation (Windows Event Logs)
Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=5136]]" | Where-Object { $_.Message -match "dMSA" }
3. Mitigation (Disable dMSA Delegation)
Set-ADObject -Identity "CN=dMSA,CN=System,DC=domain,DC=com" -Replace @{ "msDS-AllowedToDelegateTo" = $null }
4. Monitor Kerberos TGT Requests (Linux + Python)
from impacket.krb5 import constants tcpdump -i eth0 'port 88' -w kerberos_traffic.pcap
5. Restrict dMSA Permissions (ADSI Edit)
- Navigate to `CN=System,DC=domain,DC=com`
- Modify `msDS-AllowedToActOnBehalfOfOtherIdentity`
Expected Exploit Code (Proof of Concept)
from impacket.ldap import ldap
conn = ldap.LDAPConnection("ldap://DC01.domain.com")
conn.search("CN=dMSA,CN=System,DC=domain,DC=com", "(objectClass=)")
conn.add("CN=Malicious_dMSA,CN=System,DC=domain,DC=com", {"objectClass": "msDS-ManagedServiceAccount"})
What Undercode Say:
This vulnerability is high-risk due to its low complexity and high impact. Since Microsoft has no immediate patch, defenders must:
– Audit all dMSA objects.
– Restrict delegation rights.
– Monitor Kerberos & LDAP traffic.
Expected Output:
[+] Detected dMSA abuse attempt from IP: 192.168.1.100 [+] Blocked unauthorized TGT request for krbtgt
Prediction:
Microsoft will release an out-of-band patch within 3 months due to rising exploitation. Enterprises delaying mitigation will face ransomware & lateral movement attacks.
🔗 Reference: Akamai BadSuccessor Blog
References:
Reported By: Spenceralessi Activedirectory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


