A PowerShell tool that automates the BadSuccessor privilege escalation attack in Active Directory.
BadSuccessor (CVE-2025-53779) is an Active Directory vulnerability discovered by Akamai researcher Yuval Gordon, affecting environments running Windows Server 2025 domain controllers.
Under specific conditions, it allows an attacker to impersonate any domain user, including privileged accounts. It abuses a feature introduced in Windows Server 2025, the delegated Managed Service Account (dMSA)
This script automates the entire attack chain end-to-end, including optional Kerberos ticket extraction via Rubeus when the tool is present on the current directory.
Windows Server 2025 introduced a new object type: delegated Managed Service Accounts (dMSA) dMSA were added to simplify the migration of legacy service accounts into managed accounts.
During legitimate migration:
- a dMSA represents the new identity
- the target service account becomes linked to the dMSA
- once migration completes, the target account is disabled
However, two important attributes controlling this behavior were discovered to be unprotected:
- msDS-DelegatedMSAState
- msDS-ManagedAccountPrecededByLink
An attacker with permission to modify these attributes on any dMSA object can:
- Link the dMSA to any target account
- Mark the dMSA as “migration completed”
- Trick the Domain Controller (KDC) into issuing Kerberos tickets as the target account
As long as an attacker is able to modify the needed attributes in a dMSA, they can compromise any domain user.
For a complete explanation, see the original Akamai research.
This vulnerability was introduced with Windows Server 2025. Versions before 10.0.26100.4851 are vulnerable. This vulnerability is only present on Windows Server 2025. The dMSA feature did not exist before then.
The script will check if the target is vulnerable or not
To exploit BadSuccessor, the attacker needs:
- Have access to a domain account.
- Permission to create objects inside at least one OU (necessary for creating a computer object and a dMSA).
# Using PowerView we can check whether we have the required level of access over an OU:
Import-Module .\PowerView.ps1
$sid = ConvertTo-SID <DOMAIN-USER-OR-GROUP>
# This command will reveal any access we have over any domain object
Get-DomainObjectAcl | ?{ $_.SecurityIdentifier -eq $sid}- In order for Kerberos abuse to work, a recent version of
Rubeus.exeis required. Since dMSA is a recent AD feature, support for it was only added on November 2024.
This PowerShell script automates the full BadSuccessor attack:
- Creates a new computer object
- Creates a new dMSA
- Grants GenericAll permissions over the dMSA
- Modifies the required attributes (msDS-DelegatedMSAState, msDS-ManagedAccountPrecededByLink)
- If Rubeus.exe is found in the working directory, a Pass-the-Ticket attack will be performed. The obtained ticket for the dMSA will be saved as
<dMSAName>.b64
The only mandatory parameter is -TargetOU
.\BadSuccessor.ps1 -TargetOU "OU=Staff,DC=domain,DC=com"This tool is provided for educational and authorized security testing purposes only. Do not use it in environments where you do not have explicit permission.