Frequently Asked Questions About BadSuccessor Frequently asked questions about “BadSuccessor,” a zero-day privilege escalation vulnerability in Active Directory domains with at least one Windows Server 2025 domain controller.

🤔 We have answers to your questions on #BadSuccessor, the latest AD vulnerability www.tenable.com/blog/frequen...
🕵️ Tenable Identity Exposure customers can check their exposure with our recently released Indicator of Exposure (IoE): www.tenable.com/indicators/i...

Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...

To summarize, these hardenings are great (and the new app will likely allow to support some security features), but it doesn't prevent everything or even introduces new cracks to monitor.
There's no magic to keep this feature working anyway 😉

And what about the new "Microsoft Entra AD Synchronization Service" application? 🤔
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact

The Directory Synchronization Accounts role has lost most of its Entra permissions... but it retains implicit permissions to call the undocumented synchronization API 😯 ➡️ reset hybrid users' passwords
And so does the new "On Premises Directory Sync Account" Entra role 👀

Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchroniza...

Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵

🎥 Here's the recording of last week's webinar where I shared how to protect Entra ID from real-world attacks 🏴‍☠️, beginning with federation backdoors/privesc, using Tenable Identity Exposure

Hey! Indeed!

⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects
support.microsoft.com/en-us/topic/...

And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps

Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0

[MS-ADTS]: schemaUpgradeInProgress This operation causes the fschemaUpgradeInProgress field of LDAPConnection instances in dc.LDAPConnections ([MS-DRSR]

You know how some system AD attributes cannot be edited even when Domain Admin?
"Error 0x20B1 The attribute cannot be modified because it is owned by the system."
This can be bypassed using the schemaUpgradeInProgress modify operation learn.microsoft.com/en-us/opensp... 😉⬇️

Hello there 👋

Thanks!

Damn indeed of course! I’m tired 😅

But you can login without the invite? Because it was already sent earlier to the typod domain that the attacker didn’t own yet

I think the issue was this one by @dirkjanm.io:
dirkjanm.io/assets/raw/U...
but it was fixed

You mean it cannot work because the attacker would have to have the invite link too? I think so too 🤔

Hey! Do you remember the podcast please?