BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover

Source: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/3992456/badsuccessor-unpatched-microsoft-active-directory-attack-enables-domain-takeover.html

ONE SENTENCE SUMMARY:

Researchers discovered a critical vulnerability named “BadSuccessor” in Windows Server 2025 Active Directory allowing attackers full domain compromise without needing privileged accounts.

MAIN POINTS:

  1. Researchers identified “BadSuccessor,” a new vulnerability in Windows Server 2025 Active Directory.
  2. The flaw exploits Delegated Managed Service Accounts (dMSA), intended to mitigate Kerberoasting attacks.
  3. Attackers can impersonate any user, including domain administrators, through manipulated dMSA account attributes.
  4. Microsoft rated the issue moderately severe, not immediately urgent, despite researchers’ strong disagreement.
  5. dMSA accounts inherit permissions of superseded service accounts through migration processes lacking proper validation.
  6. Key Distribution Center (KDC) mistakenly grants privileges based solely on easily manipulated account attributes.
  7. Attackers can exploit CreateChild permissions on Organizational Units (OUs) to create malicious dMSA accounts.
  8. Unprivileged users can arbitrarily set attributes to falsely indicate completed migrations, gaining unauthorized privileges.
  9. Attackers can extract encrypted passwords included in the KERB-DMSA-KEYPACKAGE structure of session tickets.
  10. Akamai released a PowerShell script and monitoring guidelines for organizations until Microsoft provides an official patch.

TAKEAWAYS:

  1. Immediately restrict CreateChild permissions to trusted administrators.
  2. Use Akamai’s provided PowerShell script to audit current AD environments for vulnerable permissions.
  3. Implement recommended SACLs to log suspicious dMSA creations and attribute modifications.
  4. Regularly monitor for unusual TGTs containing KERB-DMSA-KEYPACKAGE structures.
  5. Advocate for urgent internal review of AD permissions despite Microsoft’s moderate severity rating.