SecTor 2025 | The (Un)Rightful Heir: My dMSA Is Your New Domain Admin

Delegated Managed Service Accounts (dMSA) are a new type of account introduced in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn’t go so well.

In this talk, we will introduce BadSuccessor – an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn’t use dMSAs at all.

We’ll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow an attacker to trick a Domain Controller into issuing a Kerberos ticket for any principal – including Domain Admins and Domain Controllers. Then we’ll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain – without ever touching the domain controller.

We’ll walk through how we found this attack, how it works, and its potential impact on AD environments. You’ll leave with detection tips, mitigation ideas, and a new appreciation for obscure AD attributes that can punch far above their weight.

By: Yuval Gordon | Security Researcher, Akamai

Presentation Materials Available at:
https://blackhat.com/sector/2025/briefings/schedule/?#the-unrightful-heir-my-dmsa-is-your-new-domain-admin-47146Black HatRead More