What starting position does this attack require?

The first step is Principal w/ Create-Child rights in an OU (T1078) — a initial access primitive. Assumed environment: at least one DC is Server 2025 and a delegation exists letting an attacker create or modify a DMSA in any OU.

What is the final impact of this kill-chain?

The final step lands on Authenticate as the DMSA (AD-DMSA), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

BadSuccessor (DMSA, 2025) → instant Domain Admin

Server 2025's Delegated Managed Service Accounts inherit the powers of any account listed in msDS-ManagedAccountPrecededByLink — letting an OU-admin escalate to DA without any patch chain.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Principal w/ Create-Child rights in an OU

T1078 · Valid Accounts

Credential Access

DCSync as DA

T1003.006 · DCSync

Privilege Escalation

Set msDS-ManagedAccountPrecededByLink → DA

AD-BADSUCCESSOR · BadSuccessor (DMSA, 2025)

Privilege Escalation

Create a DMSA in that OU

AD-BADSUCCESSOR · BadSuccessor (DMSA, 2025)

New-ADServiceAccount -DelegatedManagedServiceAccount …

Lateral Movement

Authenticate as the DMSA

AD-DMSA · Delegated Managed Service Account Auth

Inherits the predecessor's group memberships and SIDs in its TGT.

§ Context

Assumed environment: at least one DC is Server 2025 and a delegation exists letting an attacker create or modify a DMSA in any OU.

§ Steps

01
Principal w/ Create-Child rights in an OUInitial Access
T1078— Valid Accounts
02
DCSync as DACredential Access
T1003.006— DCSync
03
Set msDS-ManagedAccountPrecededByLink → DAPrivilege Escalation
AD-BADSUCCESSOR— BadSuccessor (DMSA, 2025)
04
Create a DMSA in that OUPrivilege Escalation
AD-BADSUCCESSOR— BadSuccessor (DMSA, 2025)
New-ADServiceAccount -DelegatedManagedServiceAccount …
05
Authenticate as the DMSALateral Movement
AD-DMSA— Delegated Managed Service Account Auth
Inherits the predecessor's group memberships and SIDs in its TGT.

§ References

T1078Valid Accounts
T1003.006DCSync

§ Frequently asked

What is the "BadSuccessor (DMSA, 2025) → instant Domain Admin" attack path?: Server 2025's Delegated Managed Service Accounts inherit the powers of any account listed in msDS-ManagedAccountPrecededByLink — letting an OU-admin escalate to DA without any patch chain. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Principal w/ Create-Child rights in an OU (T1078) — a initial access primitive. Assumed environment: at least one DC is Server 2025 and a delegation exists letting an attacker create or modify a DMSA in any OU.
What is the final impact of this kill-chain?: The final step lands on Authenticate as the DMSA (AD-DMSA), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

BadSuccessor (DMSA, 2025) → instant Domain Admin

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

mitm6 IPv6 SLAAC → NTLM relay → DA

PetitPotam + ADCS ESC8 → Domain Controller takeover

noPac / sAMAccountName spoofing → Domain Admin

Unconstrained delegation → Capture DC TGT → DCSync

ADCS ESC1 → Domain Admin

GenericWrite on Domain Admins → AddMember → DA