Feature: Full BadSuccessor Detection Support

[CalledSTRIKER]

Feature Description

BloodHound currently lacks the necessary elements to fully audit BadSuccessor attack paths introduced in Windows Server 2025 via delegated Managed Service Accounts (dMSA).

Missing Elements

As acknowledged in your own linkedin post 9 months ago :

1. Create msDS-DelegatedManagedServiceAccount ACE collection — SharpHound does not collect CreateChild ACEs scoped specifically to the msDS-DelegatedManagedServiceAccount object type. This is the most direct and common BadSuccessor attack right and is completely invisible in the current graph.

2. Create all child objects ACE collection — Generic CreateChild ACEs on OUs are not ingested as attack edges, meaning any principal with this right over an OU does not appear as a potential BadSuccessor attacker in the graph.

3. dMSA nodes — BloodHound does not model msDS-DelegatedManagedServiceAccount objects as nodes, meaning existing dMSAs in the environment and their msDS-SupersededManagedAccountLink relationships to privileged accounts are not visible or traversable in the graph.

Request

• Add SharpHound collection of CreateChild ACEs on OUs, both generic and scoped to msDS-DelegatedManagedServiceAccount
• Add dMSA as a node type with edges representing msDS-SupersededManagedAccountLink relationships
• Add corresponding attack path edges so the full escalation chain is visible in the graph