BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

• Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD).

• The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.

• This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.

• Although Microsoft states they plan to fix this issue in the future, a patch is not currently available. Therefore, organizations need to take other proactive measures to reduce their exposure to this attack. Microsoft has reviewed our findings and approved the publication of this information.

• In this blog post, we provide full details of the attack, as well as detection and mitigation strategies.

• Introduction

• What is a dMSA?

• DMSA authentication

• Abusing the dMSA migration process for privilege escalation

• It’s time to think like an attacker

• Introducing BadSuccessor

• Exploiting dMSAs: From low privileges to domain domination

• But wait, there's more — abusing dMSAs to compromise credentials

• Microsoft’s response

• Detection and mitigation

• Conclusion

In Windows Server 2025, Microsoft introduced delegated Managed Service Accounts (dMSAs). A dMSA is a new type of service account in Active Directory (AD) that expands on the capabilities of group Managed Service Accounts (gMSAs). One key feature of dMSAs is the ability to migrate existing nonmanaged service accounts by seamlessly converting them into dMSAs.

While poking around the inner workings of AD’s dMSAs, we stumbled upon something interesting. At first glance, the migration mechanism looked like a clean and well-designed solution. But something about how it worked under the hood caught our attention.

As we dug deeper, we found a surprising escalation path: By abusing dMSAs, attackers can take over any principal in the domain. All an attacker needs to perform this attack is a benign permission on any organizational unit (OU) in the domain — a permission that often flies under the radar.

And the best part: The attack works by default — your domain doesn’t need to use dMSAs at all. As long as the feature exists, which it does in any domain with at least one Windows Server 2025 domain controller (DC), it becomes available.

This blog post explains how we discovered this, how the attack works, and what you can do to detect or prevent it. 

Before diving into the attacks, it’s important to understand what dMSAs actually are and how they’re supposed to work.

A dMSA is typically created to replace an existing legacy service account. To enable a seamless transition, a dMSA can “inherit” the permissions of the legacy account by performing a migration process. This migration flow tightly couples the dMSA to the superseded account; that is, the original account they’re meant to replace. That flow — and the permissions it grants along the way — is where things get interesting.

msDS-DelegatedMSAState migration values and correlated meanings

Alongside this attribute, a few other notable attributes are used during the migration process. 

On the dMSA object:

• msDS-GroupMSAMembership: Contains a list of principals that are authorized to use this dMSA

• msDS-ManagedAccountPrecededByLink: DN of the superseded account

On the superseded account object:

• msDS-SupersededManagedAccountLink: DN of the “succeeding” dMSA

• msDS-SupersededServiceAccountState: Same meaning as msDS-DelegatedMSAState, specifying the original account migration state

Upon triggering a migration, the operation makes the following changes:

• Sets msDS-DelegatedMSAState to 1 (migration in progress)

• Updates the dMSA’s ntSecurityDescriptor to grant the superseded account:

  • Read permissions 

  • Write access to the msDS-GroupMSAMembership attribute

• Sets the dMSA’s msDS-ManagedAccountPrecededByLink to reference the superseded account

• Sets the superseded account’s msDS-SupersededManagedAccountLink to reference the dMSA

• Sets the superseded account’s msDS-SupersededServiceAccountState to 1

At this point, the dMSA is in a “migration in progress” state. It’s not fully functional yet but is now aware of which systems are still using the old service account.

Once the Complete-ADServiceAccountMigration command is issued, the following happens:

• The dMSA inherits key configurations such as SPNs, delegation settings, and other sensitive attributes from the superseded account

• The superseded account is disabled

• msDS-DelegatedMSAState and msDS-SupersededServiceAccountState are both set to 2 (migration completed)

The migration is complete and any service that relied on the superseded account will now use the dMSA for authentication.

Now that we understand the creation and migration process of dMSAs, it's time to focus on how authentication works, the changes introduced to support dMSAs, and how these changes make the migration process seamless.

For easier understanding, let’s examine the svc_sql legacy service account, which is used to run a service on the SQL_SRV$ server. Whenever the service is required to access resources in the domain, normal authentication is performed using the svc_sql account (Figure 1).

Now, we transition the service account to a new dMSA called DMSA$ and trigger a migration. During the migration period, when the service on SQL_SRV$ authenticates as svc_sql, the authentication flow is slightly modified.

1. The client sends an AS-REQ to authenticate as svc_sql

2. The Key Distribution Center (KDC) returns an AS-REP containing an additional field: KERB-SUPERSEDED-BY-USER (this field includes the name and realm of the new dMSA DMSA$)

3. If the host supports dMSAs (Windows Server 2025 or Windows 11 24H2) and has dMSA authentication enabled, it will:

   • Extract the DMSA$ name

   • Perform an LDAP query on DMSA$ to retrieve the following attributes:

     • msDS-GroupMSAMembership

     • distinguishedName

     • objectClass

4. Since the service is running on SQL_SRV$ as svc_sql, the authentication itself triggers an LDAP modify request from svc_sql, which adds SQL_SRV$ to the list of principals that are allowed to retrieve DMSA$’s password (Figure 2).

   • This is possible because, during the migration process, svc_sql was granted write access to the msDS-GroupMSAMembership attribute on the dMSA — a change that enables it to authorize its host machine to access the account's credentials.  

This seamless permission grant ensures that by the time the migration is complete every machine that previously used svc_sql will be listed in the msDS-GroupMSAMembership attribute of DMSA$ — giving it the ability to authenticate as the dMSA.

Once migration is finalized (via Complete-ADServiceAccountMigration), the behavior changes again.

1. When the client tries to authenticate as svc_sql by sending an AS-REQ, it no longer receives an AS-REP

2. Instead, the DC responds with a KRB-ERROR, indicating svc_sql is disabled

The KRB-ERROR will contain the KERB-SUPERSEDED-BY-USER field, allowing the client to recognize that svc_sql has been migrated and automatically retry authentication using DMSA$ (Figure 3).

SQL_SRV$ (and any other machine that previously relied on svc_sql) will now transparently switch to using DMSA$.

After migration, the KDC grants the dMSA all the permissions of the original (superseded) account.

From a design perspective, this makes sense. The goal is to provide a seamless migration experience in which the new account behaves just like the one it replaces — same SPNs, same delegations, same group memberships.

But from a security researcher’s perspective, this kind of behavior immediately stands out. When we saw a system that automatically copies privileges from one account to another, without requiring manual reconfiguration, we started asking questions:  How does it decide which account to copy from? Can that be influenced? Can it be abused?

That line of questioning led us straight to a key discovery. This interesting behavior of PAC inheritance seems to be controlled by a single attribute: msDS-ManagedAccountPrecededByLink.

The KDC relies on this attribute to determine who the dMSA is “replacing” — when a dMSA authenticates, the PAC is built based solely on this link.

On to our second idea. Clearly, we need something complex, creative, and deeply technical. We need to explore undocumented behaviors, maybe even reverse engineer some part of the KDC … or we could just set two attributes.

Although we cannot directly perform a migration, we can very easily “simulate” one by simply setting the following attributes directly on the dMSA object.

• Write the target account’s DN to msDS-ManagedAccountPrecededByLink

• Set msDS-DelegatedMSAState to value 2 (migration completed)

From this point forward, every time we authenticate as the dMSA, the KDC builds the PAC using the SIDs of the account linked to in the msDS-ManagedAccountPrecededByLink attribute, effectively granting us the full permissions of the superseded account.

At this point, you may be thinking, “Well, I’m not using dMSAs in my environment, so this doesn’t affect me.” Think again.

One abuse scenario: An attacker gains control over an existing dMSA and uses this access to perform the BadSuccessor attack. But there is actually another scenario, which is likely going to be available to attackers much more often: An attacker creates a new dMSA.

When a user creates an object in AD, they have full permissions over all of its attributes. Therefore, if an attacker can create a new dMSA, they can compromise the entire domain. 

Normally, when a dMSA is created using the New-ADServiceAccount cmdlet, it is stored in the Managed Service Accounts container. Although it’s possible for users to be granted access to this container, only built-in privileged Active Directory groups have permissions over it by default. So it's not very likely that we would be able to write to this container.

dMSAs, however, are not restricted to the Managed Service Accounts container; they can be created in any normal OU, as well. Any user that has either the Create msDS-DelegatedManagedServiceAccount or Create all child objects rights on any OU can create a dMSA.

Allowing users to create objects in an OU is a fairly common configuration. As this ability is viewed as benign, it is not likely that users with this privilege will be monitored and hardened appropriately.

To create the dMSA, we start by locating an OU on which we have privileges. Luckily, someone has created an OU called “temp” in our example environment and gave our unprivileged user, “weak” permissions to create all child objects (Figure 6).

As we’ve mentioned, this attack seems to work on all accounts in AD. We were unable to find any configuration that would prevent an account from being used as a superseded target.

One way to authenticate with our dMSA would be to create a service and configure it to be executed with the dMSA account. This is possible, but not convenient. Luckily, thanks to a great pull request by Joe Dibley, Rubeus now supports dMSA authentication (Figure 9), meaning that we can use it to request a TGT for our dMSA:

Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/aka.test /dmsa /opsec /nowrap /ptt /ticket:<Machine TGT>

For this example, we targeted the built-in Administrator account. Using Wireshark, we inspected the PAC of the ticket we received for our dMSA (Figure 10), which included:

• RID of the dMSA (1137)

• RID of the superseded account (500 — Administrator)

• All the group memberships of the superseded account (512 — Domain Admins, 519 — Enterprise Admins)

This is all the Domain Controller needs to treat us as the legitimate heir. Remember: No group membership changes, no Domain Admins group touch, and no suspicious LDAP writes to the actual privileged account are needed.

With just two attribute changes, a humble new object is crowned the successor — and the KDC never questions the bloodline; if the link is there, the privileges are granted. We didn’t change a single group membership, didn’t elevate any existing account, and didn’t trip any traditional privilege escalation alerts. 

Demonstration of abusing dMSA to escalate privileges in Active Directory

And this particular key? Years of reusing the same password in lab environments finally paid off.  We recognized it immediately. It was the key corresponding with Aa123456 — the password we used for our target account during the demo.

Let that sink in: The key for a separate account somehow ended up in the dMSA’s previous-keys structure.

The answer lies in the encryption types supported by the original (superseded) account. Service tickets are only encrypted using encryption types that the target service supports. As explained in Harmj0y’s excellent blog post, the msDS-SupportedEncryptionTypes attribute controls this behavior. If this attribute is not defined (default case for user accounts), the system defaults to RC4-HMAC only — hence the lone RC4-HMAC key in the previous-keys list.

In other words, the KDC gives the dMSA only the keys from the original account that would be necessary to decrypt service tickets issued prior to the migration. These are determined based on the encryption types supported by the original principal, which you can verify by inspecting its msDS-SupportedEncryptionTypes attribute.

We reported these details to Microsoft via MSRC on April 1, 2025, and after reviewing our report and proof of concept, Microsoft acknowledged the issue and confirmed its validity. However, they assessed it as a Moderate severity vulnerability, and stated that it does not currently meet the threshold for immediate servicing.

According to Microsoft, successful exploitation requires the attacker to already have specific permissions on the dMSA object, which is indicative of elevated privileges. In response to the scenario of creating a new dMSA, Microsoft referenced KB5008383, which discusses the risks related to the CreateChild permission.

While we appreciate Microsoft’s response, we respectfully disagree with the severity assessment.

This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks.

Furthermore, we've found no indication that current industry practices or tools flag CreateChild access — or, more specifically, CreateChild for dMSAs — as a critical concern. We believe this underlines both the stealth and severity of the issue.

Review permissions — Pay close attention to permissions on OUs and containers. Excessively permissive delegations can open the door for this abuse.

Until a formal patch is released by Microsoft, defensive efforts should focus on limiting the ability to create dMSAs and tightening permissions wherever possible.

Defenders should identify all principals (users, groups, computers) with permissions to create dMSAs across the domain and limit that permission to trusted administrators only.
To assist with this, we have published a PowerShell script that:

• Enumerates all nondefault principals who can create dMSAs

• Lists the OUs in which each principal has this permission

Microsoft has informed us that their engineering teams are working on a patch, and we will update the mitigation guidance in this blog post once further technical details are available.