dMSA abuse (BadSuccessor) enables privilege escalation: Monitor critical attribute changes with ADAudit Plus
A critical vulnerability, dubbed BadSuccessor, has been identified in Windows Server 2025. This flaw exploits the newly introduced delegated Managed Service Accounts (dMSAs) feature, allowing attackers to escalate privileges within Active Directory (AD) environments. Since its discovery and detailed analysis by Yuval Gordon from Akamai, this vulnerability has been creating quite a buzz in the cybersecurity community.
Stay ahead of emerging threats! Learn how to configure real-time alerts in ADAudit Plus to detect suspicious dMSA activity instantly.
Now, let’s dive in and understand the mechanics behind this dMSA abuse vulnerability.
The role of dMSAs in Windows Server 2025
In previous Windows Server versions, Managed Service Accounts simplified service account management by automating password handling. Building on this, Windows Server 2025 introduced dMSAs, which provide enhanced delegation and security features.
Key benefits of dMSAs include:
Automated, randomized, and regularly rotated passwords managed by Active Directory.
Delegated control within specific Organizational Units (OUs), allowing management without full domain admin rights.
Smooth migration from unmanaged service accounts to dMSAs without disrupting services.
Improved security by binding authentication to specific machines and disabling original accounts after migration.
Understanding the BadSuccessor vulnerability
The BadSuccessor attack leverages the msDS-ManagedAccountPrecededByLink attribute in dMSAs. By manipulating this attribute, an attacker can simulate a migration from a high-privilege account, such as a domain admin, to a newly created dMSA.This causes the key distribution center to grant the dMSA the privileges of the targeted account, effectively allowing full impersonation without altering existing accounts or group memberships.
91% of the environments analyzed showed that users outside the domain admins group had the necessary permissions to carry out this attack — Yuval Gordan. |
Exploitation steps
An attacker with minimal privileges can execute the following steps:
Create a dMSA
The attacker creates a delegated Managed Service Account within an OU where they have sufficient permissions.
Modify attributes
They then modify the msDS-ManagedAccountPrecededByLink attribute of the dMSA to point to a high-privilege account, like a Domain Admin.
Authenticate as the dMSA
The system treats the dMSA as the successor to the privileged account, granting it equivalent permissions.
Real world consequences you can’t ignore
Attackers can gain full domain control without detection
This exploit allows attackers to assume privileged access by manipulating dMSAs without altering existing high-level accounts. Because the original accounts remain untouched, this makes it challenging for security teams to detect any suspicious activity.
Low-privilege users can escalate to domain admin by abusing dMSA control
Attackers with minimal rights can leverage delegated permissions on dMSAs to escalate privileges to domain admin.
The attack operates quietly within Active Directory’s trust model
This method leaves minimal forensic evidence, making it hard to spot and allowing attackers to maintain persistence.
Things to look for
Monitor dMSA creation
Keep a close eye on the creation of dMSAs. Since attackers can exploit permissions to create dMSAs for privilege escalation, it’s important to verify that any new dMSA creation is performed only by authorized personnel and aligns with your organization’s security policies. Unexpected or unauthorized dMSA creation should raise immediate concern.
Track "msDS-ManagedAccountPrecededByLink" attribute changes
Modifications to the msDS-ManagedAccountPrecededByLink attribute on dMSA objects are a key indicator of potential misuse. This attribute links the dMSA to a high-privilege account, effectively transferring its permissions.
Implement SACLs for critical attributes
Configure System Access Control Lists (SACLs) to log creation of msDS-DelegatedManagedServiceAccount objects (Event ID 5137) and modifications to the msDS-ManagedAccountPrecededByLink attribute (Event ID 5136). This helps detect tampering of dMSAs.
Review permissions on OUs
Regularly audit permissions on OUs and containers where dMSAs can be created. Ensure that the ability to create child objects is limited to trusted administrators.
Stay updated on Microsoft patches
Stay informed about Microsoft’s latest updates and patches addressing the BadSuccessor vulnerability and apply them promptly once available.
ManageEngine ADAudit Plus has your back: Set up a custom alert to monitor dMSA activity today
We’ll guide you through setting up a custom alert in ADAudit Plus to monitor critical changes involving dMSAs. This alert enables you to quickly detect suspicious dMSA activities and investigate potential abuse of these accounts.
Go to the Configuration tab and click New Alert Profile to start.
Name the alert appropriately and add a description if needed.
Set the desired severity level based on your organization’s risk standards.
Under Category, select All, then choose the report profile titled All Other AD Audit Changes.
In Advanced Configurations, enable the Filter checkbox and click Add Filter.
Set the filter condition to:
Modified Attributes → Equals → msDS-ManagedAccountPrecededByLink Choose the appropriate Alert Actions (for example, email notifications, script execution) as required and save the alert.
Once the new alert is configured, any modification to the msDS-ManagedAccountPrecededByLink attribute will trigger an alert, which you can view under the Alerts tab.
For detailed insights, including who made the change, when it occurred, and from where, go to the Active Directory tab > Account Management > All AD Changes. This helps confirm whether the change was made by an authorized user and is inline with your organization’s policy.
About ManageEngine ADAudit Plus
ADAudit Plus is a UBA-driven change auditing solution that helps ensure accountability, security, and compliance across your AD, file servers, Windows servers, and workstations.
Learn more