@cyb3rops Good discussion - shows how important it was to release this research finding! And give folks the option to fix their bad delegation practices, which is the root cause of this problem.
English
Guido Grillenmeier
55 posts
#BadSuccessor - a textbook example of why the security ecosystem is broken
- A privilege escalation vuln in Windows Server 2025 AD (via dMSA)
- Full domain compromise with default config
- Microsoft was told, agreed it’s real, but rated it "moderate"
- No patch, No fix
- No code execution needed
- No need to touch the DC
- No RPC, no ntds.dit
- Just a write to one attribute on an account you can create
- Rubeus already supports dMSA abuse (since February)
- Metasploit module is in the works
Researchers published everything anyway. Because… "we respectfully disagree with Microsoft’s assessment". So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point.
To be fair, Windows Server 2025 isn’t widely deployed yet, so the real-world blast radius today is limited. But this isn’t about today - it’s about trust, process, and what happens when security decisions are driven by vendor priorities and researcher egos.
What this tells me:
1. Microsoft either:
- Can’t assess bugs anymore
- Or stopped caring about on-prem AD completely (because Entra ID is what they want to sell)
2. And the offensive sec crowd?
- They knew this would hit hard
- But chose to burn the world anyway
- Because their urge to be right > everyone else’s security
In the end, both sides look bad.
Microsoft, for being dysfunctional or apathetic
Researchers, for chasing clout over coordinated disclosure
Congrats. In a rare show of unity, both sides managed to screw this up.
Blog: akamai.com/blog/security-…
LinkedIn: linkedin.com/feed/update/ur…
Metasploit issue: github.com/rapid7/metaspl…
English
@cyb3rops Until then, folks better start looking more closely at their AD delegation model - as bad delegation practices is the root cause of this issue (and should be fixed regardless).
English
@cyb3rops not sure why you would react this way on a disclosure that was not rejected by Microsoft.
You can only protect yourself against vulnerabilities that you know about - so the infos shared by Yuval Gordon is key to help companies become aware of this potential risk!
English
Adding some context to the #BadSuccessor situation:
1. Microsoft didn’t say they won’t fix it - they confirmed the vuln and are actively working on a patch.
2. This isn’t just about patching a flawed function. The likely fix involves delegation models and object creation logic - complex, high-impact areas that require careful design and testing.
Florian Roth ⚡️@cyb3rops
#BadSuccessor - a textbook example of why the security ecosystem is broken - A privilege escalation vuln in Windows Server 2025 AD (via dMSA) - Full domain compromise with default config - Microsoft was told, agreed it’s real, but rated it "moderate" - No patch, No fix - No code execution needed - No need to touch the DC - No RPC, no ntds.dit - Just a write to one attribute on an account you can create - Rubeus already supports dMSA abuse (since February) - Metasploit module is in the works Researchers published everything anyway. Because… "we respectfully disagree with Microsoft’s assessment". So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point. To be fair, Windows Server 2025 isn’t widely deployed yet, so the real-world blast radius today is limited. But this isn’t about today - it’s about trust, process, and what happens when security decisions are driven by vendor priorities and researcher egos. What this tells me: 1. Microsoft either: - Can’t assess bugs anymore - Or stopped caring about on-prem AD completely (because Entra ID is what they want to sell) 2. And the offensive sec crowd? - They knew this would hit hard - But chose to burn the world anyway - Because their urge to be right > everyone else’s security In the end, both sides look bad. Microsoft, for being dysfunctional or apathetic Researchers, for chasing clout over coordinated disclosure Congrats. In a rare show of unity, both sides managed to screw this up. Blog: akamai.com/blog/security-… LinkedIn: linkedin.com/feed/update/ur… Metasploit issue: github.com/rapid7/metaspl…
English
@cyb3rops … and yes, the bad guys will also benefit from the released details - but that is nothing new. Ideally this whole discussion changes the prioritization by Microsoft on when a fix is needed - which would be another positive outcome.
English
@cyb3rops … they can then effectively mitigate against it (or decide on waiting with the upgrade to Win2025 until a proper fix from MSFT becomes available).
Not releasing this important finding, which MSFT chose to prioritize surprisingly low, does not help anyone. Except the bad guys.
English
Guido Grillenmeier retweetledi
Azure AD is getting a new name: Microsoft Entra ID. The licensing and capabilities you’re familiar with remain the same. Learn more: aka.ms/rename #AzureAD #IAM
English
@RyanLNewington @brdpoker I recommend taking a closer look at how the “Owner Rights” (S-1-3-4) sec-principal works … been there since Win 2008 and, unfortunately, hardly known and understood by anyone: it allows you to RESTRICT what an owner can do on the owned object. Aka OAR: Owner Access Restrictions
English
@brdpoker Quick question: i don't want the sccm join account to remain owner of the object (retains the ability to reset dacl on every computer it creates). If I change the owner of all workstations to domain admins, and grant sccm join account appropriate permissions, will this work?
English
Some personal news: After working with ZDNET for 16 years, I am switching gears (a bit). I am joining DirectionsonMicrosoft.com full-time, as of Nov. 1. I'll be working with them on their content strategy as "Editor in Chief," so stay tuned!
English
Guido Grillenmeier retweetledi
#Cyberattacks are increasing, but #ActiveDirectory #security is often overlooked. Join @MartinKuppinger from @KuppingerCole and @GGrillen from Semperis as they discuss the critical role of AD and Azure AD. kuppingercole.com/events/2022/09…
English
@SteveSyfuhs That's a pretty bold statement to make. But coming from you, folks should at least listen up. More details are welcome.
Expect that their data-exchange with RWDCs is likely the culprit that may be misused by adversary able to undermine the DCSYNC limits. No DC is always safer.
English
Heeeeey.
Can we all agree to stop using RODCs?
Thaaaaaaaanks.
English
@fibiBerlin Oh Fibi - ich sehe das jetzt erst 😢 Das tut mir sehr leid!! Ich konnte Aimo zwar nicht kennenlernen, aber Deine Bilder haben immer einen besonderen Hund porträtiert! Schön zu lesen, dass er in Euren Armen friedlich eingeschlafen ist!
Deutsch
Guido Grillenmeier retweetledi
This #printnightmare / CVE-2021-1675 is really serious 🤪
Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*
Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local
➡️ disable service now (no patch yet)
GIF
English
Very worthwhile podcast to listen too!
Hybrid Identity Protection@HIPConf
#ICYMI In this HIP podcast session, @shorinsean talks with @alsugano about his experiences on the front lines in helping companies prevent or recover from the #Hafnium attack. 🎧 Listen to the full episode now: bit.ly/3aeRgkz
English
Guido Grillenmeier retweetledi
As an #ActiveDirectory expert, what can you do to help your org protect hybrid #identity systems?
Check out these tips from #Microsoft MVP @gkirkpatrick to sharpen your security skills and contribute to your organization's #security strategy. bit.ly/3dmyRV7
English
Guido Grillenmeier retweetledi
Would Your Organization Fail the Active Directory #Security Assessment?
In this #webinar, @grouppolicyguy and Ran Harel will walk through weak spots living in #ActiveDirectory configurations—and how to fix them.
APRIL 22 | 2pm EST |🔗bit.ly/pk-redmond
English
Guido Grillenmeier retweetledi
“Changes in permissions are by far the biggest security risk when it comes to implementing hybrid #identity management.” - Semperis Senior Product Manager, Doug Davis #IDMgmtDay
Solutions Review@SolutionsReview
#IdentityManagementDay is today. To bring #cybersecurityawareness, what do experts from @SemperisTech @bitglass @CloudentityTEAM & @DigitalGuardian have to say about building a stronger digital perimeter? @InfoSec_Review asks: bit.ly/3aaUFRg
English
Guido Grillenmeier retweetledi
"The good news, relatively speaking, is that this is a proactive situation: #NSA and #Microsoft discovered these vulnerabilities before the threat actors did.”
Read more of @shorinsean's take on the new #ExchangeServer vulnerabilities shared by the NSA: bit.ly/3slUQ2q
English
Guido Grillenmeier retweetledi
Do you know your #ActiveDirectory security vulnerabilities? In this new post, @shorinsean steps through the types of #security holes threat actors use—including configuration mistakes and unpatched vulnerabilities—to attack AD environments. bit.ly/38X50Qk
English