Akamai researchers evaluated Microsoft’s patch for the BadSuccessor vulnerability (CVE-2025-53779) to determine its scope and limitations.
While the update effectively blocks the original direct escalation path, the core mechanics of BadSuccessor remain exploitable under specific conditions.
In this article, we examine how attackers can continue to leverage delegated Managed Service Accounts (dMSAs) for credential theft and lateral movement in Active Directory post-patch.
Revisiting BadSuccessor
Introduced at DEF CON 2025, BadSuccessor abuses Windows Server 2025’s dMSA account type to elevate privileges.
By linking a controlled dMSA to any target account, the Key Distribution Center (KDC) would merge the target’s privileges into the dMSA’s Privilege Attribute Certificate and return its Kerberos key package, as per a report by Source.
This granted immediate Domain Admin access without extra group changes or custom tooling. Crucially, merely controlling any Organizational Unit was sufficient to deploy this attack, enabling compromise of domain controllers, Protected Users, and Domain Admins.
Microsoft’s patch did not lock down the directory attribute that associates a dMSA to a target. Instead, changes in kdcsvc.dll enforce strict validation at ticket issuance: a one-way link no longer yields a valid Kerberos ticket.
Only a mutual pairing—where the target account reciprocally references the dMSA—mimics a legitimate service account migration and is honored by the KDC. Consequently, attackers now must also control the target object itself to achieve escalation, effectively closing the pre-patch shortcut.
Although the direct path to Domain Admin is closed, BadSuccessor persists as a versatile technique. We identify two practical primitives that rely on the surviving ability to write link attributes:
When an attacker holds GenericWrite on a user or computer object, traditional methods include adding a shadow credential or performing Kerberoasting.
With BadSuccessor, however, controlling a dMSA enables a mutual link pairing and issuance of a valid ticket for the dMSA. This allows adversaries to:
- Operate under the target’s effective privileges using the dMSA identity, reducing detection risk when the original account is monitored.
- Extract the target’s Kerberos keys directly from the dMSA key package, which is faster and more reliable than Kerberoasting.
- Concentrate telemetry on dMSA-link edits and Ticket Granting Ticket issuance to the dMSA.
In domains already under attacker control, BadSuccessor enables “replication-free” credential dumping through normal ticket requests, offering an alternative to DCSync with distinct behavioral signals that may bypass existing detection rules.
To detect post-patch BadSuccessor activity:
- Enable SACLs to audit creation of dMSAs and modifications to migration link attributes on both linked objects.
- Monitor for rapid sequences of dMSA password retrievals and anomalous linkings of enabled or previously disabled accounts.
Microsoft’s patch for CVE-2025-53779 successfully disrupts BadSuccessor’s one-step Domain Admin escalation.
However, by leaving link-attribute modifications unprotected in Active Directory and relocating enforcement to the KDC, the underlying techniques endure.
Attackers can still exploit dMSAs for credential theft and lateral movement via new primitives that differ in requirements and telemetry.
Defenders must adjust detection and harden delegation to fully mitigate the evolving BadSuccessor threat.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
