New Check: dMSA Ouroboros

solidxsnake · May 14, 2026, 10:56am

What is a one sentence summary of your feature request?

Add a feature “Check for CreateChild permission”

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Customer is concerned that AD objects with Create Child permissions can be used as an attack vector for exploiting dMSA as described here:
dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025 | Huntress.

How do you currently solve the challenges you have by not having this feature?

As to how they would like to see this check implemented - This should show up under “Anomalies analysis” and list the objects that have this permission.

joe.dibley · May 14, 2026, 11:03am

We will make sure we get this into a release soon

We also have some stuff in the backlog to update the current BadSuccessor check to be updated with information on the patch too.

Topic		Replies	Views
Informational Rule for BadSuccessor AD Vulnerability Ideas completed , ideas	5	108	February 2, 2026
New Research: dMSA Accounts and BadSuccessor News pingcastle , announcement , security-research	0	844	May 22, 2025
BadSuccessor Investigation & Custom Threat Show & Tell threat-manager	0	80	May 23, 2025
BadSuccessor Monitoring & Blocking Show & Tell threat-prevention	0	154	May 23, 2025
Create RiskID "P-UnusualOwner" Ideas new , ideas	1	21	November 5, 2025

New Check: dMSA Ouroboros

What is a one sentence summary of your feature request?

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

How do you currently solve the challenges you have by not having this feature?

Related topics