BadSuccessor – Active Directory Privilege Escalation Vulnerability in Windows Server 2025

Listen to this Post

Featured Image
A new critical vulnerability dubbed BadSuccessor has been discovered in Windows Server 2025’s Active Directory, allowing attackers to fully compromise a domain by abusing delegated Managed Service Accounts (dMSA). This attack enables threat actors to:
✅ Steal NTLM hashes & Kerberos keys (including krbtgt)

✅ Inherit and abuse any user’s permissions

✅ Bypass traditional detection (no DC code execution, no RPC calls)

Attack Path:

1. Attacker creates a malicious dMSA object.

  1. Exploits the “Successor” feature to inherit target user privileges.

3. Gains full domain persistence.

You Should Know:

Detection & Mitigation Steps

1. Check for Vulnerable Permissions (PowerShell)

Get-ADObject -Filter {msDS-AssignedAuthNPolicy -like ""} -Properties msDS-AssignedAuthNPolicy | Select-Object Name, DistinguishedName 

2. Identify Suspicious dMSA Creation (Windows Event Logs)

Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=5136]]" | Where-Object { $_.Message -match "dMSA" } 

3. Mitigation (Disable dMSA Delegation)

Set-ADObject -Identity "CN=dMSA,CN=System,DC=domain,DC=com" -Replace @{ "msDS-AllowedToDelegateTo" = $null } 

4. Monitor Kerberos TGT Requests (Linux + Python)

from impacket.krb5 import constants 
tcpdump -i eth0 'port 88' -w kerberos_traffic.pcap 

5. Restrict dMSA Permissions (ADSI Edit)

  • Navigate to `CN=System,DC=domain,DC=com`
  • Modify `msDS-AllowedToActOnBehalfOfOtherIdentity`

Expected Exploit Code (Proof of Concept)

from impacket.ldap import ldap 
conn = ldap.LDAPConnection("ldap://DC01.domain.com") 
conn.search("CN=dMSA,CN=System,DC=domain,DC=com", "(objectClass=)") 
conn.add("CN=Malicious_dMSA,CN=System,DC=domain,DC=com", {"objectClass": "msDS-ManagedServiceAccount"}) 

What Undercode Say:

This vulnerability is high-risk due to its low complexity and high impact. Since Microsoft has no immediate patch, defenders must:
– Audit all dMSA objects.
– Restrict delegation rights.
– Monitor Kerberos & LDAP traffic.

Expected Output:

[+] Detected dMSA abuse attempt from IP: 192.168.1.100 
[+] Blocked unauthorized TGT request for krbtgt 

Prediction:

Microsoft will release an out-of-band patch within 3 months due to rising exploitation. Enterprises delaying mitigation will face ransomware & lateral movement attacks.

🔗 Reference: Akamai BadSuccessor Blog

References:

Reported By: Spenceralessi Activedirectory – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram