DefenseCybersecurity

SecTor 2025 | The (Un)Rightful Heir: My dMSA Is Your New Domain Admin

Black Hat
Black HatApr 17, 2026

Why It Matters

The vulnerability lets attackers turn a low‑privilege DMSA into a domain admin, threatening the entire Active Directory trust model.

Key Takeaways

  • DMSA migration copies legacy account privileges via ticket merging.
  • Attackers can forge migration links to elevate privileges within Active Directory.
  • "Bed successor" technique exploits DMSA attribute manipulation to gain.
  • Patch mitigates pre‑patch exploit but post‑patch still viable.
  • Organizations must restrict OU access to prevent DMSA abuse.

Summary

The SecTor 2025 talk unveiled a critical Active Directory flaw tied to the newly introduced Delegated Managed Service Account (DMSA). The speaker, Yval Gordon, walked through the DMSA migration workflow—linking a legacy service account, granting temporary authentication rights, and finally superseding the old account—highlighting how the domain controller merges privilege data during ticket issuance.

Key insights include the discovery that the DC copies the legacy account’s group memberships into the DMSA’s Kerberos ticket (the “pack”), effectively granting identical privileges without explicit group assignment. By manipulating the migration attributes, an attacker can fabricate a link between a compromised DMSA and any high‑privilege account, a technique the presenter dubbed “bed successor.” Microsoft’s pre‑patch fix addressed the initial vector, yet the post‑patch scenario still allows privilege escalation if the attacker controls an OU‑based DMSA.

The presenter demonstrated the attack flow: create or hijack a DMSA, alter its linking attributes to point at a domain admin account, trigger authentication, and receive a ticket that inherits the admin’s rights. He emphasized that DMSAs placed in standard OUs are far easier to compromise than those in the restricted Managed Service Account container, making OU permissions a critical attack surface.

Implications are profound: organizations that have begun adopting DMSAs for seamless migration may inadvertently expose a path to domain‑wide compromise. Immediate mitigations include applying Microsoft’s patches, auditing DMSA placements, tightening OU delegation, and monitoring for anomalous migration commands. Failure to act could enable attackers to obtain domain admin privileges with minimal foothold.

Original Description

Delegated Managed Service Accounts (dMSA) are a new type of account introduced in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn't go so well.
In this talk, we will introduce BadSuccessor - an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn't use dMSAs at all.
We'll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow an attacker to trick a Domain Controller into issuing a Kerberos ticket for any principal - including Domain Admins and Domain Controllers. Then we'll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain - without ever touching the domain controller.
We'll walk through how we found this attack, how it works, and its potential impact on AD environments. You'll leave with detection tips, mitigation ideas, and a new appreciation for obscure AD attributes that can punch far above their weight.
By: Yuval Gordon | Security Researcher, Akamai
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...