When Good Accounts Go Bad Exploiting Delegated Managed Servi... #1247
+114
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/ Content Categories: Based on the analysis, this content was categorized under "Windows Privilege Escalation / Active Directory Attacks". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
|
merge |
carlospolop
deleted the
update_When_Good_Accounts_Go_Bad__Exploiting_Delegated_Ma_20250806_124547
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
BadSuccessor Attack Vector Overview
BadSuccessor abuses delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025 to escalate privileges in Active Directory. An attacker with
Create ChildormsDS-DelegatedManagedServiceAccountpermissions on an OU can:msDS-ManagedAccountPrecededByLinkto a target account’s DN (for exampleCN=Administrator,CN=Users,DC=conto...
-
-
- Content is technically accurate
- Formatting follows HackTricks style guidelines
- Links and references are working
- Content adds educational value
- No sensitive information is exposed
- MD files processed: 866
- MD files fixed: 1
🔧 Technical Details
An attacker with
Create ChildormsDS-DelegatedManagedServiceAccountpermissions on an OU can create a delegated MSA object, set itsmsDS-ManagedAccountPrecededByLinkto a target account’s distinguished name and overwritemsDS-DelegatedMSAStateto2, simulating migration completion. Logging on as this dMSA grants the original account’s privileges, enabling privilege escalation to domain administrative control.Using t...
🤖 Agent Actions
Added detailed coverage of the BadSuccessor attack vector:
Created new file
badsuccessor-dmsa-migration-abuse.mdunderwindows-hardening/active-directory-methodologywith:• Technical overview of the dMSA migration abuse
• Enumeration, exploitation, post-exploitation, detection & mitigation steps
• Tooling list and cross-references
• References section with blog & PoC links
Updated
active-directory-methodology/README.mdto link this new page alongside the existing Golden gMSA/dMSA attack material.No other changes required.
✅ Review Checklist
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
📚 Repository Maintenance
All .md files have been checked for proper formatting (headers, includes, etc.).