{"id":50736368,"url":"https://github.com/blwhit/badsuccessor-dmsa-scanner","last_synced_at":"2026-06-10T14:01:10.642Z","repository":{"id":309615874,"uuid":"1036928773","full_name":"blwhit/BadSuccessor-dMSA-Scanner","owner":"blwhit","description":"PowerShell tool to audit Active Directory for BadSuccessor dMSA privilege escalation attack paths, including direct/indirect memberships.","archived":false,"fork":false,"pushed_at":"2025-08-12T20:51:00.000Z","size":3,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-12T22:29:27.027Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blwhit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-12T19:46:06.000Z","updated_at":"2025-08-12T20:51:05.000Z","dependencies_parsed_at":"2025-08-12T22:29:28.792Z","dependency_job_id":"3e74ad7e-88fc-4ea4-a62e-d4441d885748","html_url":"https://github.com/blwhit/BadSuccessor-dMSA-Scanner","commit_stats":null,"previous_names":["blwhit/badsuccessor-dmsa-scanner"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/blwhit/BadSuccessor-dMSA-Scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FBadSuccessor-dMSA-Scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FBadSuccessor-dMSA-Scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FBadSuccessor-dMSA-Scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FBadSuccessor-dMSA-Scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blwhit","download_url":"https://codeload.github.com/blwhit/BadSuccessor-dMSA-Scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FBadSuccessor-dMSA-Scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34155422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-10T14:01:09.752Z","updated_at":"2026-06-10T14:01:10.636Z","avatar_url":"https://github.com/blwhit.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# BadSuccessor dMSA Scanner\n\n**A PowerShell tool to detect ALL BadSuccessor attack paths in Active Directory _(including nested/group privileges)_.**\n\n## ⚠️ About BadSuccessor\n\nBadSuccessor is a critical privilege escalation vulnerability in Active Directory that allows attackers with dMSA creation or modification rights to impersonate ANY Active Directory user account.\n\n### Details:\n- Affects Windows Server 2025 environments only\n- Currently has no available patch\n- Enables takeover and credential theft of ANY AD user account (e.g. Domain Admins)\n- Attack requires privilege to create/modify dMSA object\n\n### BadSuccessor TLDR:\n1. Attacker creates/modifies a dMSA account\n2. Sets two attributes to \"link\" it to a target/victim user (e.g., Domain Admin)\n3. Authenticates as the dMSA and gains *all target user's privileges*\n\n###### *Credit to [Akamai Security Research Team](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)*\n\n## 🔍 What This Scanner Finds\n\nThis tool identifies who can exploit BadSuccessor by checking:\n\n- **Direct dMSA Permissions**: Accounts with explicit rights to create/modify dMSAs\n- **Group-Based Permissions**: Users who inherit dMSA rights through group membership (including nested groups)\n- **OU-Level Creation Rights**: Permissions allowing dMSA creation in organizational units\n- **Container-Level Creation Rights**: Permissions allowing dMSA creation in containers\n- **Existing dMSA Modification Rights**: Write access to current dMSA objects\n- **Environment Assessment**: Windows Server 2025 domain controller detection\n\n  ###### _NOTE: Highly privileged pricipals are automatically filtered (e.g. Domain Admins, Enterprise Admins, Domain Controllers, etc...)._\n\n## 🚀 Quick Start\n\n```powershell\n# Scan entire domain (recommended)\n.\\BadSuccessor-dMSA-Scanner.ps1\n\n# Check specific user\n.\\BadSuccessor-dMSA-Scanner.ps1 -User jdoe\n\n# Export to CSV\n.\\BadSuccessor-dMSA-Scanner.ps1 -CSV\n\n# Fast scan (skip groups)\n.\\BadSuccessor-dMSA-Scanner.ps1 -SkipGroups\n```\n\n## 📋 Options\n\n| Option | Description |\n|--------|-------------|\n| `-User \u003cname\u003e` | Check specific user |\n| `-All` | Scan all users (default) |\n| `-CSV` | Export results to file |\n| `-SkipGroups` | Skip group analysis (faster) |\n| `-h` | Show help |\n\n## 📊 Sample Output\n\n```\n[ BadSuccessor dMSA Attack Path Scanner ]\n[ https://github.com/blwhit/BadSuccessor-dMSA-Scanner ]\n\nChecking domain environment...\n[!] CRITICAL: Found 2 Windows Server 2025 domain controller(s)\n[!] BadSuccessor exploitation is POSSIBLE in this environment\n\nEnumerating OUs, Containers, and dMSA objects...\n[*] Found 156 OUs\n[*] Found 23 Containers\n[*] Found 0 existing dMSA objects\n\nScanning for BadSuccessor attack paths...\n[*] Total objects to audit: 179\n\n[!] ATTACK PATH DETECTED\n    Object: OU=ServiceAccounts,DC=contoso,DC=com\n    Principal: CONTOSO\\ServiceDesk\n    Permissions: CreateChild, GenericWrite\n    Scope: All child objects\n    Exploit Type: Create new dMSA\n\n[!] ATTACK PATH DETECTED\n    Object: CN=Users,DC=contoso,DC=com\n    Principal: CONTOSO\\john.doe\n    User: john.doe (via IT-Admins)\n    Permissions: GenericAll\n    Scope: All child objects\n    Exploit Type: Create new dMSA\n\n[!] ATTACK PATH DETECTED\n    Object: OU=ITDepartment,DC=contoso,DC=com\n    Principal: CONTOSO\\BackupOperators\n    Permissions: CreateChild\n    Scope: dMSA objects only\n    Exploit Type: Create new dMSA\n.\n.\n.\n.\n.\n---------------\n\n[X] ATTACK PATHS FOUND: 3\n    Direct Permissions: 2\n    Group Memberships: 1\n    Existing dMSA Risks: 0\n    OU Creation Risks: 2\n    Container Creation Risks: 1\n\n[*] PRINCIPALS WITH BADSUCCESSOR CAPABILITY:\n    - CONTOSO\\BackupOperators\n    - CONTOSO\\john.doe\n    - CONTOSO\\ServiceDesk\n\n[*] Results exported to: BadSuccessor_dMSA_Audit_20250812_143022.csv\n```\n\n## 🛡️ Requirements\n\n- Active Directory PowerShell module (RSAT)\n- Read access to Active Directory Domain\n\n## 🔗 References\n\n- [Akamai Research](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)\n- [Tarlogic Research](https://www.tarlogic.com/blog/badsuccessor/)\n- [Unit42 Research](https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/)\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fbadsuccessor-dmsa-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblwhit%2Fbadsuccessor-dmsa-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fbadsuccessor-dmsa-scanner/lists"}