2025-08-04 –, Florentine A
Delegated Managed Service Accounts (dMSA) are a new type of account introduced in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn’t go so well.
In this talk, we introduce BadSuccessor - an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn’t use dMSAs at all.
We’ll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow an attacker to trick a Domain Controller into issuing a Kerberos ticket for any principal - including Domain Admins and Domain Controllers. Then we’ll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain - without ever touching the domain controller.
We’ll walk through how we found this attack, how it works, and its potential impact on AD environments. You’ll leave with detection tips, mitigation ideas, and a new appreciation for obscure AD attributes that can punch far above their weight.
This research started as a curiosity: how do delegated Managed Service Accounts (dMSAs) really work under the hood in Windows Server 2025? What began as a weekend project led to the discovery of a novel attack path.
The talk introduces BadSuccessor, an attack technique that lets an attacker gets the permissions of any user, including Domain Admins or Domain Controllers, and retrieve their Kerberos keys - all by using a newly created dMSA. No existing dMSAs needed, no membership changes, and no alterations to the legitimate account.
We’ll go through the discovery process, what are dMSAs, how migration from an old service account to a dMSA works, and how this logic can be used to get privileged tickets. We’ll also share practical detection ideas, plus pre- and post-exploitation tips for both red and blue teams.
Live demos will be pre-recorded for reliability. The goal is to make every part of the technique clear and repeatable for defenders, researchers, and red teamers alike.
Whitepaper: https://docs.google.com/document/d/1ac4qRSgVrFSCnQrBbgj-6VscOKU5mtIIVYEVjdbIzrY/edit?usp=sharing
Yuval Gordon is a Security Researcher at Akamai Technologies, specializing in Active Directory security, identity-based attacks, and protocol research.
Yuval started his career in security operations, incident response, and detection engineering before moving into security research with a focus on AD internals, OT environments and offensive security. His recent work includes uncovering design flaws and logic abuses.
Yuval occasionally dabbles in malware analysis and reverse engineering, and enjoys sharing insights from both attacker and defender perspectives.