The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

This blog analyzes how BadSuccessor-related dMSA abuse remains exploitable after Microsoft’s patch, documents updated tools (SharpSuccessor and a native BOF named BadTakeover) that weaponize the technique, and demonstrates account takeover that can yield domain administrator access when an attacker has CreateChild on an OU, write permissions to specific msDS attributes, and at least one Windows Server 2025 DC; it urges defenders to harden DACLs and manage identity attack paths.