module
BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory
| Disclosed | Created |
|---|---|
| May 21, 2025 | Jan 15, 2026 |
Disclosed
May 21, 2025
Created
Jan 15, 2026
Description
This module exploits 'Bad Successor', which allows operators to elevate privileges on domain controllers
running at the Windows 2025 forest functional level. Microsoft decided to introduce Delegated Managed Service
Accounts in this forest level and they came ripe for exploitation.
Normal users can't create dMSA accounts where dMSA accounts are supposed to be created, the Managed Service
Accounts OU, but if a normal user has write access to any other OU they can then create a dMSA account in
said OU. After creating the account the user can edit LDAP attributes of the account to indicate that this
account should inherit privileges from the Administrator user. Once this is complete we can request kerberos
tickets on behalf of the dMSA account and voila, you're admin.
The module has two actions, one for creating the dMSA account and setting it up to impersonate a high
privilege user, and another action for requesting the kerberos tickets needed to use the dMSA account for privilege
escalation.
running at the Windows 2025 forest functional level. Microsoft decided to introduce Delegated Managed Service
Accounts in this forest level and they came ripe for exploitation.
Normal users can't create dMSA accounts where dMSA accounts are supposed to be created, the Managed Service
Accounts OU, but if a normal user has write access to any other OU they can then create a dMSA account in
said OU. After creating the account the user can edit LDAP attributes of the account to indicate that this
account should inherit privileges from the Administrator user. Once this is complete we can request kerberos
tickets on behalf of the dMSA account and voila, you're admin.
The module has two actions, one for creating the dMSA account and setting it up to impersonate a high
privilege user, and another action for requesting the kerberos tickets needed to use the dMSA account for privilege
escalation.
Authors
AngelBoy
Spencer McIntyre
jheysel-r7
Spencer McIntyre
jheysel-r7
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.