PS-SRPRO
May 22, 2025, 2:24pm
1
Informational Rule for BadSuccessor AD Vulnerability
Implement checks as described here to check for accounts and OUs related to the new BadSuccessor AD Vulnerability.https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#mitigation
Manual check as described in the article
Added already into a GitHub beta build. See the announcement here.
Hi there everyone!
Just wanted to let you all know about some new research that came out in the AD Security space just yesterday.
There is a new attack vector in Active Directory where an attacker could abuse basic “Create all child objects” or specifically the create dMSA permission to create and use a Delegated Managed Service Account (dMSA) to compromise the secrets (password hashes) of any account in the domain.
This research was built on some previous research I did on how to extract dMS…
3 Likes
Changing to in progress until it is in an official release rather than a beta
tepje
May 26, 2025, 11:37am
4
Was this added to the 3.3.0.12 build? Judging by the tags on GitHub, 3.3.0.12 and 3.3.0.12_beta are identical (Commit 548de82eb0d9631e7a244deffaaf63cfcd4fb460), but both of these do not include the BadSuccessor commit in the branch BadSuccessor.
Hi there,
I probably should have called it 3.3.0.13_beta in retrospect.
This was our first beta so will document this internally for beta releases for next time to avoid confusion.
