Listen to this Post

🛑 BadSuccessor is the newly discovered vulnerability shaking Microsoft’s ecosystem, enabling critical privilege escalation on Windows Server 2025. This flaw allows total domain compromise under default configurations. While Windows Server 2025 isn’t widely deployed yet, the potential impact is severe.
🔎 The Exploit:
The vulnerability exploits delegated Managed Service Accounts (dMSA), a new feature in Windows Server 2025. An attacker can create a dMSA object and “succeed” any Active Directory (AD) user—inheriting their permissions.
You Should Know:
- NTLM hashes & Kerberos keys (including
krbtgt) can be stolen. - Attackers gain full user rights without triggering standard detection (no DC code execution, no `ntds.dit` modification, no RPC requests).
- Microsoft has acknowledged the issue and is working on a patch, but fixing delegation logic in AD is complex.
Exploitation & Mitigation Steps
1. Verify Vulnerability Exposure
Check if your system is vulnerable:
Get-WindowsFeature -Name "RSAT-AD-PowerShell" | Install-WindowsFeature Import-Module ActiveDirectory Get-ADOptionalFeature -Filter | Where-Object Name -like "dMSA"
- Test with Proof of Concept (PoC) Scripts
- BadSuccessor Test Script: Download Here
- SharpSuccessor (Full PoC): GitHub Link
3. Immediate Mitigations
- Disable dMSA feature (if not needed):
Disable-ADOptionalFeature -Identity "dMSA Feature" -Confirm:$false
- Monitor AD Object Creation:
Get-WinEvent -LogName "Security" -FilterXPath "[EventData[Data[@Name='ObjectClass']='msDS-ManagedServiceAccount']]"
4. Kerberos Hardening (Prevent Hash Extraction)
- Enforce AES Encryption (disable RC4):
Set-ADAccountControl -Identity "krbtgt" -KerberosEncryptionType "AES256"
- Enable Audit Logging:
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
What Undercode Say
This vulnerability highlights critical risks in AD delegation logic. Even with patches, organizations must:
– Audit AD object changes
– Restrict dMSA permissions
– Assume breach—monitor for unusual Kerberos/NTLM activity
Prediction
Microsoft will likely disable dMSA by default in future updates. However, legacy systems may remain exposed, leading to increased AD attacks in 2025.
Expected Output:
Check for dMSA-related events in Security logs
Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 5136 -and $</em>.Message -like "msDS-ManagedServiceAccount" }
For deeper analysis, refer to the technical breakdown. Stay patched! 🚨
References:
Reported By: Kondah Badsuccessor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


