Listen to this Post
Akamai Technologies researcher Yuval Gordon uncovered a critical Active Directory exploit called BadSuccessor, which abuses delegated Managed Service Accounts (dMSA) to escalate privileges. By creating and manipulating a dMSA object, an attacker can “Succeed” any user, inheriting their permissions.
Key Risks:
- Steal NTLM hashes and Kerberos keys (including krbtgt).
- Inherit and abuse the victim’s permissions.
- Bypass traditional detection (no DC code execution, no `ntds.dit` access, no RPC calls).
Critical Findings:
✅ Works in default AD configurations.
✅ 91% of environments allow non-Domain Admins to execute this attack.
🚨 No patch available—mitigation relies on proactive hardening.
PoC on GitHub: Akamai BadSuccessor Exploit
Full Research: BadSuccessor: Abusing dMSA
You Should Know: Mitigation & Detection Steps
1. Identify Vulnerable Permissions
Check for users with `msDS-GroupMSAMembership` write permissions:
Get-ADObject -Identity "CN=System,DC=domain,DC=com" -Properties msDS-GroupMSAMembership | Select-Object msDS-GroupMSAMembership
2. Restrict dMSA Delegation
Remove unnecessary write permissions:
Set-ADObject -Identity "CN=System,DC=domain,DC=com" -Replace @{ "msDS-GroupMSAMembership" = "RestrictedPrincipals" }
3. Monitor Suspicious dMSA Modifications
Enable Windows Event ID 5136 (Directory Service Changes) and filter for:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> [EventData[Data[@Name='ObjectClass'] = 'msDS-GroupManagedServiceAccount']] </Select> </Query> </QueryList>
4. Block NTLM & Enforce Kerberos Armoring
Disable NTLM where possible:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
Enable Kerberos AES Encryption:
Set-ADAccountControl -Identity "User" -KerberosEncryptionType AES256
5. Hunt for Anomalous dMSA Activity
Use Sigma Rule to detect exploitation:
title: Suspicious dMSA Modification description: Detects unauthorized dMSA changes logsource: product: windows service: security detection: selection: EventID: 5136 ObjectClass: msDS-GroupManagedServiceAccount condition: selection
What Undercode Say
This exploit underscores weak delegation controls in Active Directory. Since Microsoft hasn’t patched it, defenders must:
– Audit dMSA permissions regularly.
– Restrict who can modify msDS-GroupMSAMembership.
– Assume breach—monitor for hash theft & lateral movement.
Expected Output:
[+] dMSA Exploit Detected: Unauthorized privilege escalation attempt via BadSuccessor. [+] Mitigation Applied: Restricted dMSA delegation & enforced Kerberos AES.
Prediction:
⚠️ APT groups will weaponize this within 3 months—patchless exploits are gold for ransomware operators.
Relevant Links:
References:
Reported By: Mthomasson When – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
