Yuval Gordon
Yuval Gordon is a Security Researcher at Akamai Technologies, specializing in Active Directory security, identity-based attacks, and protocol research.
Yuval started his career in security operations, incident response, and detection engineering before moving into security research with a focus on AD internals, OT environments and offensive security. His recent work includes uncovering design flaws and logic abuses.
Yuval occasionally dabbles in malware analysis and reverse engineering, and enjoys sharing insights from both attacker and defender perspectives.
Session
Delegated Managed Service Accounts (dMSA) are a new type of account introduced in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn’t go so well.
In this talk, we introduce BadSuccessor - an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn’t use dMSAs at all.
We’ll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow an attacker to trick a Domain Controller into issuing a Kerberos ticket for any principal - including Domain Admins and Domain Controllers. Then we’ll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain - without ever touching the domain controller.
We’ll walk through how we found this attack, how it works, and its potential impact on AD environments. You’ll leave with detection tips, mitigation ideas, and a new appreciation for obscure AD attributes that can punch far above their weight.