When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
1 min read
Summary
Delegated Managed Service Accounts (dMSAs) are a new type of managed domain account in Windows Server 2025 that is intended to facilitate the migration of traditional service accounts (like gMSA or sMSA) and bolster them with additional permissions.
We introduce the “BadSuccessor” technique, which allows an attacker to escalate privileges in Active Directory environments via a chain of privileged dMSA accounts, misusing the account attributes related to account migration.
We dissect the core tactics of this method, along with its plausibility and how it can be detected, benefiting cybersecurity professionals and system administrators.
By illustrating a real-world example, we exhibit how an attacker may exploit an organizational unit (OU) to elevate their privileges, along with practical detection approaches that can thwart such assaults.
Organizations can enhance their cybersecurity posture and mitigate the risk of privileged escalation by understanding these attack vectors and putting in place defensive measures.
