BadSuccessor Vulnerability in Windows Server 2025: Detection and Mitigation

Listen to this Post

Featured Image
Akamai researchers recently uncovered BadSuccessor, a critical flaw in Windows Server 2025’s delegated Managed Service Accounts (dMSA) that allows attackers to compromise any user in Active Directory. Currently, there is no patch available, making detection and hardening essential.

You Should Know:

Detection Using Sentinel KQL (BadKQL)

To detect potential BadSuccessor abuse, use the following Kusto Query Language (KQL) in Microsoft Sentinel:

SecurityEvent
| where EventID == 4769 // Kerberos service ticket operation
| where ServiceName has "dMSA$" // Filter for delegated Managed Service Accounts
| where Status == "0x0" // Successful ticket request
| where ClientUserName != "ANONYMOUS LOGON" // Exclude anonymous attempts
| summarize Attempts = count() by ClientUserName, ServiceName, Client_IP
| where Attempts > 5 // Threshold for suspicious activity
| project TimeGenerated, ClientUserName, ServiceName, Client_IP, Attempts

Mitigation Steps

Since no patch exists, follow these hardening measures:

1. Restrict dMSA Permissions

Get-ADServiceAccount -Filter  | Where-Object { $<em>.DelegatedAccount -ne $null } | ForEach-Object {
Set-ADServiceAccount -Identity $</em> -PrincipalsAllowedToDelegateToAccount $null
}

2. Monitor Kerberos Ticket Requests

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

3. Enable Enhanced Logging

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos" -Name "LogLevel" -Value 1 -Type DWord

4. Block Suspicious IPs via Firewall

New-NetFirewallRule -DisplayName "Block BadSuccessor Attackers" -Direction Inbound -Action Block -RemoteAddress 192.168.1.100,10.0.0.5

5. Check for Anomalous SPN Requests

grep "Service Ticket Request" /var/log/krb5.log | awk '{print $6, $8}' | sort | uniq -c | sort -nr

Additional Linux-Based Detection (for Hybrid Environments)

journalctl -u krb5-kdc | grep "TGS_REQ" | grep "dMSA" | awk '{print $1, $3, $9}' | sort | uniq -c

What Undercode Say

The BadSuccessor vulnerability highlights the risks in delegated authentication models. Until Microsoft releases a patch, organizations must rely on log analysis, strict delegation controls, and anomaly detection. Implementing Zero Trust policies and network segmentation can further reduce exposure.

Prediction

Microsoft is expected to release an emergency patch within the next 30-60 days, but attackers may already be exploiting this in the wild. Expect increased phishing campaigns targeting AD admins.

Expected Output:

  • KQL detection logs for Sentinel
  • PowerShell hardening commands
  • Linux-based Kerberos monitoring
  • Firewall rules blocking suspicious IPs

Relevant URL: Akamai Research on BadSuccessor

References:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram