🛡️ Deep Dive: BadSuccessor – Full Active Directory Compromise

The Weekly Purple Team
30 May 202522:01

Summary

TLDRIn this video, Bribone explores the 'Bad Successor' attack leveraging a vulnerability in Server 2025's Delegated Managed Service Accounts. The attacker exploits a misconfiguration in Active Directory permissions, allowing them to gain full domain control. The tutorial demonstrates the complex manual process of performing the attack via PowerShell and Rubius, followed by a quicker method using Logan Goins' Sharp Successor tool. Finally, the video dives into effective detection techniques for blue teams, highlighting PowerShell events, Sharp Successor behavior, and password-fetching logs. A comprehensive guide to both executing and defending against this advanced security threat.

Takeaways

  • 😀 Bad successor leverages a new feature in Server 2025 called delegated managed service accounts (DMSA).
  • 😀 The vulnerability lies in having control over an Organizational Unit (OU), allowing attackers to target resources they shouldn't.
  • 😀 Adversaries can exploit this vulnerability using tools like Rubius and PowerShell, although detection is fairly easy for defenders.
  • 😀 The method involves creating a machine account, generating a password hash, and using Rubius to request a TGT (Ticket Granting Ticket).
  • 😀 Sharp Successor, a tool by Logan Goins, automates the attack process, simplifying the attack workflow significantly.
  • 😀 Once a DMSA is created, attackers can impersonate a domain administrator and escalate privileges across the domain.
  • 😀 The attack is demonstrated on a Windows 11 host using PowerShell, followed by automation with Sharp Successor for faster exploitation.
  • 😀 The detection of Bad Successor involves looking for event codes like 4104 and 4688, as well as suspicious process arguments like 'impersonate' and 'path'.
  • 😀 Bad Successor allows an adversary to take full control of a domain by attaching a delegated managed service account to critical accounts like domain admins.
  • 😀 For blue team detection, focus on event code 4104 for PowerShell-based attacks and behaviors indicative of Sharp Successor for detecting automated exploitation.
  • 😀 Blue teams can detect abnormal behavior by looking for unusual service account creations, impersonation actions, and ticket-fetching activity.

Q & A

  • What is the main concept behind 'Bad Successor' as discussed in the video?

    -Bad Successor is an attack technique that exploits a vulnerability in Server 2025 through the use of Delegated Managed Service Accounts (DMSAs). The attack targets organizations where a user has control over an Organizational Unit (OU) and can create and manipulate DMSAs, eventually gaining full domain control.

  • What is the role of Delegated Managed Service Accounts (DMSAs) in the Bad Successor technique?

    -DMSAs allow the creation of service accounts that can be associated with different resources in an Active Directory domain. In the context of Bad Successor, an attacker who controls a specific OU can create a DMSA and link it to sensitive accounts, such as domain administrator accounts, allowing them to compromise the domain.

  • How does an attacker exploit the permissions on an Organizational Unit (OU) in the context of Bad Successor?

    -If an attacker gains control over an OU with 'Create All Child Objects' permission, they can create machine accounts and service accounts, which can then be linked to privileged domain accounts, leading to a potential domain takeover.

  • What tools are demonstrated in the video for exploiting the Bad Successor vulnerability?

    -The video demonstrates the use of PowerShell and Rubius for manually exploiting the Bad Successor vulnerability. Additionally, a tool called 'Sharp Successor' by Logan Goins is shown as a quicker and easier way to automate the process.

  • Why is Rubius necessary for executing the Bad Successor attack?

    -Rubius is necessary because it helps in requesting and manipulating Kerberos tickets. In the Bad Successor attack, Rubius is used to extract hashes and request ticket-granting tickets (TGT) for machine accounts and DMSAs, which is crucial for escalating privileges.

  • What is the advantage of using Sharp Successor over the manual PowerShell approach?

    -Sharp Successor simplifies the exploitation process by automating the creation of Delegated Managed Service Accounts and other necessary steps, reducing the complexity and number of commands needed compared to the manual PowerShell method.

  • How can blue teams detect the exploitation of Bad Successor?

    -Blue teams can detect the exploitation of Bad Successor by monitoring event logs for suspicious activities, such as the creation of Delegated Managed Service Accounts (event code 4104) and the use of Sharp Successor (event code 4688 with specific process arguments). They can also monitor for unusual password fetching activity in the domain (event code 2946).

  • What PowerShell event code is important for detecting the creation of Delegated Managed Service Accounts?

    -Event code 4104 is important for detecting the creation of Delegated Managed Service Accounts, which is a key step in the Bad Successor attack. This event logs the execution of PowerShell commands related to the creation of these accounts.

  • Why is event code 4688 significant in detecting Sharp Successor's activity?

    -Event code 4688 logs the creation of new processes, and it is significant in detecting Sharp Successor because it logs the execution of the Sharp Successor tool, which can be identified by specific process arguments like 'impersonate', 'account', and 'path'.

  • What additional detection method is suggested for identifying the fetching of a password for a Delegated Managed Service Account?

    -Event code 2946 can be used to detect the fetching of a password for a Delegated Managed Service Account. Monitoring this event helps in identifying when an attacker retrieves the password for the account, which is a critical step in the attack.

Outlines

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Mindmap

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Keywords

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Highlights

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Transcripts

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Voir Plus de Vidéos Connexes

Impacket GetUserSPNs & Kerberoasting Explained

Overview of the Google Cloud Security Command Center

DDoS Attack Explained | How to Perform DOS Attack | Ethical Hacking and Penetration Testing

Don't make random HTTP requests.

CSRF - Lab #3 CSRF where token validation depends on token being present | Long Version

Windows Server Homelab: Implementing Service Accounts| Single Purpose Computers (Ep 6)

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Étiquettes Connexes
CybersecurityRed TeamingBlue TeamWindows ServerBad SuccessorPowerShellSecurity ExploitHacking ToolsEDR BypassDelegated MSAActive Directory
Besoin d'un résumé en anglais ?