A significant security flaw has been identified in Windows Server 2025’s Delegated Managed Service Accounts (dMSA), posing a severe risk to organizations utilizing Active Directory (AD). This vulnerability, termed BadSuccessor, allows attackers to escalate privileges and potentially gain full control over any user account within an organization’s AD, even with minimal initial access.
Understanding Delegated Managed Service Accounts (dMSA):
Introduced in Windows Server 2025, dMSAs are designed to enhance the management of service accounts by allowing a new dMSA to inherit permissions from an existing legacy service account. This feature aims to mitigate attacks like Kerberoasting by binding authentication directly to explicitly authorized machines in Active Directory, thereby reducing the risk of credential theft.
The BadSuccessor Exploit:
The vulnerability arises from a critical oversight in the dMSA migration process. Attackers can simulate this migration by modifying specific attributes on a dMSA object:
1. msDS-ManagedAccountPrecededByLink: This attribute is set to reference a target user account.
2. msDS-DelegatedMSAState: This attribute is set to 2, indicating that the migration is complete.
By configuring these attributes, an attacker can deceive the system into believing a legitimate migration has occurred. Consequently, the dMSA inherits all permissions of the targeted user, including highly privileged accounts like Domain Admins. Notably, this attack does not require direct permissions on the targeted user’s account; control over a dMSA is sufficient.
Potential Impact:
The exploitation of this vulnerability can lead to:
– Privilege Escalation: Attackers can elevate their privileges within the AD environment.
– Persistent Access: By maintaining control over dMSAs, attackers can ensure ongoing access to critical systems.
– Cross-Domain Attacks: The flaw enables lateral movement across different domains, amplifying the potential damage.
Microsoft’s Response:
Microsoft has acknowledged the vulnerability but classified it as Moderate severity, indicating that it does not warrant immediate patching. The company stated that the technique requires elevated user permissions to succeed and will be addressed in a future update.
Mitigation Strategies:
Until an official patch is released, organizations are advised to implement the following measures:
1. Audit dMSA Creation Events: Monitor for Event ID 5137 to detect the creation of dMSAs.
2. Monitor Attribute Modifications: Track changes to the msDS-ManagedAccountPrecededByLink attribute (Event ID 5136) to identify unauthorized modifications.
3. Track dMSA Authentication Attempts: Keep an eye on Event ID 2946 to detect authentication attempts using dMSAs.
4. Restrict dMSA Creation Permissions: Limit the ability to create dMSAs to trusted administrators to reduce the risk of exploitation.
Additionally, organizations can utilize PowerShell scripts to identify users with permissions that could enable this attack.
Conclusion:
The discovery of the BadSuccessor vulnerability underscores the importance of rigorous security assessments, especially when implementing new features like dMSAs. Organizations must proactively monitor and restrict permissions to mitigate potential threats. Staying informed about emerging vulnerabilities and promptly applying security updates are crucial steps in safeguarding Active Directory environments.
