Mitigating the BadSuccessor Bug: Securing gMSA/dMSA Creation in Active Directory

By /

Listen to this Post

Featured Image
The BadSuccessor bug affects domains with at least one Windows Server 2025 Domain Controller, allowing unauthorized gMSA/dMSA (Group/Delegated Managed Service Accounts) creation under certain delegation conditions. A potential mitigation involves modifying the dsHeuristics attribute to restrict non-admin users from creating these accounts.

Key Mitigation Step

Set the 28th flag (AttributeAuthorizationOnLDAPAdd) in the `dsHeuristics` attribute to block unauthorized gMSA/dMSA creation:

 Set dsHeuristics to restrict gMSA/dMSA creation 
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -Replace @{dsHeuristics="00000000010000000002000000010"}

You Should Know:

1. Impact:

  • Blocks regular users from creating gMSA/dMSA accounts even with “Create All Child Objects” permissions.
  • Does not block if the user has Full Control or WriteDACL permissions.

2. Verification Commands:

  • Check current dsHeuristics:
    Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -Properties dsHeuristics
  • Test gMSA creation (should fail for non-admins):
    New-ADServiceAccount -Name "TestgMSA" -DNSHostName "testgmsa.yourdomain.com" -PrincipalsAllowedToRetrieveManagedPassword "Domain Users"

3. Alternative Workaround:

  • Audit delegation permissions using:
    Get-ACL "OU=Servers,DC=yourdomain,DC=com" | Format-List
  • Remove excessive Full Control or WriteDACL delegations.

4. LDAP Query for Risky Delegations:

ldapsearch -h DC01 -b "DC=yourdomain,DC=com" "(msDS-AllowedToDelegateTo=)"

What Undercode Say:

The BadSuccessor bug highlights the risks of over-delegation in Active Directory. While the `dsHeuristics` mitigation helps, organizations must audit delegation models to prevent abuse. Key takeaways:
– Least privilege is critical—avoid granting Full Control unnecessarily.
– Monitor gMSA/dMSA creation with SIEM rules.
– Patch & Review: Ensure Windows Server 2025 DCs are updated and delegation models are tightened.

Expected Output:

  • Non-admin users cannot create gMSA/dMSA accounts when `dsHeuristics` is configured.
  • Delegation audits reveal excessive permissions that need revocation.

Prediction:

As Active Directory attacks evolve, expect more delegation-based exploits. Organizations must shift toward Zero Trust delegation models and automated permission audits to mitigate future risks.

Reference:

IT/Security Reporter URL:

Reported By: Andrea Pierini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: