BadSuccessor Investigation & Custom Threat

Products Threat Manager Show & Tell
1

New Active Directory Threat: BadSuccessor

Have you heard of the new BadSuccessor privilege escalation technique that abuses Delegeated Managed Service Accounts (dMSAs) in Windows Server 2025? If not, be sure to check out the blog here by Yuval Gordon from Akamai.

The TLDR is essentially the following:

If a user has the ability to create an object within an OU (such as a dMSA account) they can become Domain Admin.

  1. Create a dMSA account in an OU that you have privileges to do so
  2. Grant yourself permissions to modify the dMSA account that you just created
  3. Modify the msDS-ManagedAccountPrecededByLink attribute on the created object to a privileged account
  4. Leverage tools to get the hash of the defined preceded account

This is all because Microsoft is not currently validating the msDS-ManagedAccountPrecededByLink attribute value to ensure it was actually a migration of the preceded account. Learn more about this process in the blog above or Microsoft documentation on dMSAs.

Investigation & Custom Threat

Below I will walk through how to easily create a custom investigation and threat within Netwrix Threat Manager to monitor for these potential changes. Be sure to check out my post in the Threat Prevention Show & Tell on how to setup a policy to monitor and/or block these changes.

  1. Navigate to the Investigate tab and create a query for ‘Attribute’ equals ‘msDS-ManagedAccountPrecededByLink’
    Custom Investigation
    Custom Investigation2354×497 102 KB
  2. Save that, give it a name & description of your liking and navigate to the saved investigation you just created.
  3. The next steps are optional, but if you want, you can create a custom threat to alert anytime someone modifies this attribute (whether they are blocked by Threat Prevention or not). At the top, click ‘Create Threat’ and provide a description and definition, choose to send any SIEM or email alerts or run any playbooks then click Save. I chose not to configure any nor set a threshold, as I want to know every time this occurs.
    Create Threat
    Create Threat2343×531 117 KB

Threat Details
Threat Details762×1074 71.1 KB

After saving, if any modifications occur, you’ll see a new threat on the threat timeline and can view the details!

Threat Example
Threat Example1845×110 35.6 KB

Threat Details
Threat Details2335×998 181 KB

1 Like