## https://sploitus.com/exploit?id=CBDF9A26-A7BB-569B-A4AB-9D2DBBAC6724
# 🛡️ Advanced BadSuccessor (CVE-2025-53779) – Weaponized PoC & Detection Toolkit
[](https://opensource.org/licenses/MIT)
[](https://github.com/PowerShell/PowerShell)
**A fully automated, production‑ready exploitation and detection suite for the BadSuccessor vulnerability in Windows Server 2025 Active Directory.**
> **⚠️ Important:** This tool is intended for **authorized security assessments, red team exercises, and educational purposes only**. Unauthorized use against systems you do not own or have explicit permission to test is illegal.
---
## 📖 Executive Summary
The **BadSuccessor** vulnerability (internally tracked by Microsoft as CVE-2025-53779) allows a low‑privileged Active Directory user with **`CreateChild` permissions on any Organizational Unit (OU)** to impersonate **any user in the domain** – including Domain Admins. The flaw resides in the new **Delegated Managed Service Account (dMSA)** feature introduced in Windows Server 2025.
This repository provides:
- A **fully automated PowerShell script** (`Invoke-BadSuccessor.ps1`) that weaponizes the attack with pre‑flight checks, error handling, and Rubeus integration.
- **Defender‑friendly resources**: KQL hunting queries, Event ID analysis, and a hardening guide.
- **In‑depth technical documentation** explaining the KDC, PAC, and attribute manipulation.
---
## 🔬 Technical Breakdown (Simplified)
1. **dMSA Background** – dMSAs are a new account type in Windows Server 2025 that support supersedence: a new dMSA can replace an old one via the `msDS-ManagedAccountPrecededByLink` attribute.
2. **The Flaw** – The KDC blindly trusts this attribute. When a dMSA is configured with a superseded account (e.g., `CN=Administrator,CN=Users,...`), the KDC includes the **PAC (Privilege Attribute Certificate)** of the superseded account in tickets issued to the dMSA.
3. **Attack Path** – An attacker with `CreateChild` rights on an OU:
- Creates a computer account.
- Creates a dMSA and grants the computer account permission to retrieve its password.
- Sets the dMSA’s `msDS-ManagedAccountPrecededByLink` to the DN of a high‑value target (e.g., Domain Admin).
- Uses the computer account to request a TGT, then a TGS for the dMSA with S4U2Self – obtaining a service ticket impersonating the target.
- Injects the ticket → **full impersonation**.
---
## 🎯 Attack Prerequisites
- **Domain Controller** running **Windows Server 2025** (any build).
- **KDS Root Key** generated (automatic when first dMSA is created).
- **Low‑privileged AD account** with `CreateChild` permission on **any OU** (by default, `Authenticated Users` have this on the `Computers` OU!).
- **PowerShell 5.1+** with the `ActiveDirectory` module (RSAT).
- **Rubeus.exe** (latest version) in the same directory as the script or in `%PATH%`.
---
## 🚀 Quick Start (Offensive)
1. **Clone the repository**
```powershell
git clone https://github.com/yourusername/Advanced-BadSuccessor.git
cd Advanced-BadSuccessor