Semperis has rolled out new detection capabilities within its Directory Services Protector (DSP) platform to help organizations defend against “BadSuccessor,” a recently disclosed privilege escalation technique in Windows Server 2025, according to Security Brief Asia. The vulnerability, uncovered by Akamai researchers, exploits a new feature called delegated Managed Service Accounts (dMSAs), allowing attackers to impersonate privileged users in Active Directory without additional credentials or alerts.In response, Semperis collaborated with Akamai to integrate targeted detection indicators into its DSP platform. The update includes one Indicator of Exposure and three Indicators of Compromise, focused on spotting unusual activity around dMSAs, such as over-delegation, suspicious privilege relationships, and potential access to sensitive accounts like KRBTGT. These additions are designed to provide security teams with earlier visibility into attack attempts.The vulnerability poses risk to any organization running at least one Windows Server 2025 domain controller using dMSAs. Without a patch currently available, Semperis recommends immediate action: reviewing dMSA configurations, auditing delegation permissions, and using detection tools to monitor unusual behavior. Misconfigured accounts, even on a single server, could put the broader Active Directory environment at risk.This case underscores the challenges of managing service accounts, which often operate with elevated privileges but receive limited oversight. As hybrid identity environments grow in complexity, flaws like BadSuccessor reveal how even well-meaning features can introduce new security blind spots. The DSP update is intended to serve as a temporary safeguard until an official fix is issued.
Related Events
You can skip this ad in 5 seconds