Listen to this Post

Akamai researchers recently uncovered BadSuccessor, a critical flaw in Windows Server 2025’s delegated Managed Service Accounts (dMSA) that allows attackers to compromise any user in Active Directory. Currently, there is no patch available, making detection and hardening essential.
You Should Know:
Detection Using Sentinel KQL (BadKQL)
To detect potential BadSuccessor abuse, use the following Kusto Query Language (KQL) in Microsoft Sentinel:
SecurityEvent | where EventID == 4769 // Kerberos service ticket operation | where ServiceName has "dMSA$" // Filter for delegated Managed Service Accounts | where Status == "0x0" // Successful ticket request | where ClientUserName != "ANONYMOUS LOGON" // Exclude anonymous attempts | summarize Attempts = count() by ClientUserName, ServiceName, Client_IP | where Attempts > 5 // Threshold for suspicious activity | project TimeGenerated, ClientUserName, ServiceName, Client_IP, Attempts
Mitigation Steps
Since no patch exists, follow these hardening measures:
1. Restrict dMSA Permissions
Get-ADServiceAccount -Filter | Where-Object { $<em>.DelegatedAccount -ne $null } | ForEach-Object {
Set-ADServiceAccount -Identity $</em> -PrincipalsAllowedToDelegateToAccount $null
}
2. Monitor Kerberos Ticket Requests
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
3. Enable Enhanced Logging
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos" -Name "LogLevel" -Value 1 -Type DWord
4. Block Suspicious IPs via Firewall
New-NetFirewallRule -DisplayName "Block BadSuccessor Attackers" -Direction Inbound -Action Block -RemoteAddress 192.168.1.100,10.0.0.5
5. Check for Anomalous SPN Requests
grep "Service Ticket Request" /var/log/krb5.log | awk '{print $6, $8}' | sort | uniq -c | sort -nr
Additional Linux-Based Detection (for Hybrid Environments)
journalctl -u krb5-kdc | grep "TGS_REQ" | grep "dMSA" | awk '{print $1, $3, $9}' | sort | uniq -c
What Undercode Say
The BadSuccessor vulnerability highlights the risks in delegated authentication models. Until Microsoft releases a patch, organizations must rely on log analysis, strict delegation controls, and anomaly detection. Implementing Zero Trust policies and network segmentation can further reduce exposure.
Prediction
Microsoft is expected to release an emergency patch within the next 30-60 days, but attackers may already be exploiting this in the wild. Expect increased phishing campaigns targeting AD admins.
Expected Output:
- KQL detection logs for Sentinel
- PowerShell hardening commands
- Linux-based Kerberos monitoring
- Firewall rules blocking suspicious IPs
Relevant URL: Akamai Research on BadSuccessor
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


