When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory unit42.paloaltonetworks.com/badsucces…

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue.

By analyzing the core mechanics of this technique and offering practical detection strategies, we help security professionals and system administrators understand dMSAs and how attackers can misuse them to elevate privileges. We also provide advice on how to implement effective detection and mitigation strategies. BadSuccessor is a novel technique that enables a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing controlled delegated Managed Service Account (dMSA) objects.

Originally detailed in research published by Akamai, this technique demonstrates how modifying a small set of attributes on a dMSA object under the attacker’s control can lead to privilege escalation within the environment. Publicly available tools have already been released to automate various steps involved in leveraging this technique, potentially lowering the barrier for its adoption.